[keycloak-dev] Allow access_type parameter to be sent to Google Identity Provider

Francesco Degrassi francesco.degrassi at optionfactory.net
Tue Mar 12 06:19:39 EDT 2019


Hello,
we're testing Keycloak with Google as a social identity provider and using
the token exchange functionality to get access to the IDP access token.
I noticed that Google requires the access_type parameter to be set to
"offline" in the call to the authorization endpoint to release a refresh
token, but there is no easy way to do this in Keycloak; configuring a
generic OIDC identity provider allows me to configure access_type as a
forwarded parameter, but no such option exists using GoogleIdentityProvider.

I have a patch that (a) modifies GoogleIdentityProviderConfig and overrides
getForwardedParameters() to add "access_type" to the returned values.

Other options I considered include (b) changing the UI to allow to
configure the forwareded parameters for GoogleIdentityProvider (since it
extends OidcIdentityProvider) or (c) add a boolean configuration option to
GoogleIdentityProviderConfig to allow/disallow forwarding the parameter or
(d) add a boolean configuration option to GoogleIdentityProviderConfig to
set "access_type" to "offline" if checked.

Which would be the preferred route? Would a pull request be accepted?
Cheers.

*Francesco Degrassi*
Tech Lead
+39 329 4128 422 <+39+329+4128+422>
*OptionFactory <http://www.optionfactory.net/>*


More information about the keycloak-dev mailing list