[keycloak-dev] Google ID Broken & Devs do not care

Nick Powers sshscp at gmail.com
Fri Jul 26 12:37:28 EDT 2019


Yes,  I received a response to a message in the user mailing list that
identified where I needed to enable it.  Please ignore my original email on
this as I was able to enable this by turning on Request refresh token in
the IDP configuration in the Keycloak GUI.  This is currently an
undocumented feature.  Hopefully it will make it into the documentation
soon.

I apologize for the harshness of my original email, I was just at my wits
end.  I would have responded to this sooner but I don't know how I can
respond to my own messages in this mailing list, since I do not receive me
own message in my inbox.

Thanks,

Nick

On Fri, Jul 26, 2019 at 9:47 AM Thomas Darimont <
thomas.darimont at googlemail.com> wrote:

> Hello Nick,
>
> "All it would take is to add "access_type=offline" to the Google auth URL
> and yet still it is broken, they just don't care enough to do even that
> simple task."
>
> isn't this already implemented?
> See:
>
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java#L106
>
>
> What's missing?
>
> Cheers,
> Thomas
>
> On Thu, 25 Jul 2019 at 21:40, Nick Powers <sshscp at gmail.com> wrote:
>
>> I have wasted so much time deploying Keycloak to only learn in the end
>> that
>> it doesn't support Google offline access and thus cannot retrieve Google
>> refresh tokens.  I am not alone, there are many messages in both the
>> Keycloak user and dev mailing lists discussing the lack of offline access
>> for Google IDP on Keycloak.
>>
>> When this comes up in the user mailing list the messages are generally not
>> responded to.  Which makes sense since there is not a working solution to
>> receive Google refresh tokens using Keycloak's Google IDP solution.  It is
>> broken and thus the users cannot provide a solution.
>>
>> When this comes up in this (the dev) mailing list, it is again ignored or
>> it is debated but end up with the same sentiment, that offline access /
>> refresh tokens from Google IDP is not a worthwhile feature.  I found many
>> messages in the dev mailing list, spanning from 4 years ago to current
>> identifying this issue and yet it remains unfixed.  All it would take is
>> to
>> add "access_type=offline" to the Google auth URL and yet still it is
>> broken, they just don't care enough to do even that simple task.  They
>> think that it is silly that anyone would need a Google refresh token.
>>
>> I found the code segment that related to Google offline access in Keycloak
>> and there was a comment that identified an email address of the person who
>> wrote that section of code.  It was a Red Hat email, from regular user on
>> this mailing list.  I reached out to him and his response was that he had
>> no time to respond to my query and that Red Hat does not support Keycloak.
>> Maybe don't put your email into code you don't want to get queries on? So,
>> if Red Hat is not supporting their own project, in any regard, and the
>> devs
>> have no intention of fixing this bug the assumption is that Google IDP
>> will
>> never be fixed.
>>
>> If you landed on this message, now or in the future, in hopes of finding a
>> solution to get Google refresh tokens from Keycloak IDP all I can do is
>> try
>> to save you some time and say that Google IDP on Keycloak is currently
>> broken in that regards and if the past is any indication the devs have no
>> intention of fixing the code to allow that access.
>>
>> If any devs on this list disagree with this message then please let me
>> know
>> what I have missed and point me in the direction of a solution for this
>> issue....... I didn't think so.
>>
>> :(
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>


More information about the keycloak-dev mailing list