[keycloak-dev] Allow access_type parameter to be sent to Google Identity Provider

Marek Posolda mposolda at redhat.com
Tue Mar 12 09:16:03 EDT 2019 

Hi,

I already saw some request(s) in the past with regards to the 
GoogleIdentityProvider not provide same level of fine-grained 
configuration as the OIDC Identity provider. I think that generally it 
will be nice to remove this limitation(s) and hence allow some custom 
configurations to be done on the GoogleIdentityProvider as well.

So IMO the best would be the option (b) - just add the option to support 
forwarded parameters. This will probably allow best flexibility and 
hopefully the usability will be also fine.

Marek

On 12/03/2019 11:19, Francesco Degrassi wrote:
> Hello,
> we're testing Keycloak with Google as a social identity provider and using
> the token exchange functionality to get access to the IDP access token.
> I noticed that Google requires the access_type parameter to be set to
> "offline" in the call to the authorization endpoint to release a refresh
> token, but there is no easy way to do this in Keycloak; configuring a
> generic OIDC identity provider allows me to configure access_type as a
> forwarded parameter, but no such option exists using GoogleIdentityProvider.
>
> I have a patch that (a) modifies GoogleIdentityProviderConfig and overrides
> getForwardedParameters() to add "access_type" to the returned values.
>
> Other options I considered include (b) changing the UI to allow to
> configure the forwareded parameters for GoogleIdentityProvider (since it
> extends OidcIdentityProvider) or (c) add a boolean configuration option to
> GoogleIdentityProviderConfig to allow/disallow forwarding the parameter or
> (d) add a boolean configuration option to GoogleIdentityProviderConfig to
> set "access_type" to "offline" if checked.
>
> Which would be the preferred route? Would a pull request be accepted?
> Cheers.
>
> *Francesco Degrassi*
> Tech Lead
> +39 329 4128 422 <+39+329+4128+422>
> *OptionFactory <http://www.optionfactory.net/>*
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list