[keycloak-user] Keycloak Google IDP Broken & wont be fixed!

Nick Powers sshscp at gmail.com
Thu Jul 25 20:34:40 EDT 2019 

It worked!  With that enabled, I was able to retrieve the Google refresh
token using:

GET /auth/realms/{realm}/broker/{provider_alias}/token
Authorization: Bearer {keycloak_access_token}

Thank you sooo much!  Now I feel bad for getting pissy, but I had pretty
much given up on Keycloak at that point.  Please everyone ignore my
original post.  Although it is undocumented it works exactly as Pedro has
described.

Thanks again!

Nick :)


On Thu, Jul 25, 2019 at 3:43 PM Nick Powers <sshscp at gmail.com> wrote:

> Thanks for responding Pedro!  I will try it with that enabled and see if
> that helps.  It does look promising! :)  I'll update once I have tested it.
>
> Thanks again! :)
>
> Nick
>
> On Thu, Jul 25, 2019 at 3:30 PM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi Nick,
>>
>> Let's try to revert this. We are always trying to do our best to help
>> people as much as we can.
>>
>> The documentation [1] does not seem to be updated but there is a "Request
>> refresh token" switch in the Google Identity Provider that when enabled
>> makes an offline request (access_type=offline as a query param).
>>
>> Did you try it out? The related issue is
>> https://issues.jboss.org/browse/KEYCLOAK-6614.
>>
>> Please, let me know if you have issues using it. Or maybe you are facing
>> some other issue that is blocking you to use this functionality.
>>
>> [1] https://www.keycloak.org/docs/latest/server_admin/index.html#google
>>
>> Regards.
>> Pedro Igor
>>
>> On Thu, Jul 25, 2019 at 3:35 PM Nick Powers <sshscp at gmail.com> wrote:
>>
>>> I ran into an issue with Google IDP & Keycloak, where offline access
>>> cannot
>>> be requested and therefore refresh tokens cannot be received from Google.
>>>
>>> I then started researching to see if this problem have been previously
>>> identified and resolved.  Although I did find find many people
>>> identifying
>>> the problem who were looking for an answer in both this mailing list and
>>> in
>>> the keycloak dev mailing list, there was no solutions in any of those
>>> messages.  These questions spanned 4 years, and yet Google IDP remains
>>> broken.
>>>
>>> When the question is posed to the user group the messages are either not
>>> answered at all or don't provide any solutions.  In the Keycloak dev
>>> mailing list it is discussed but in general they are dismissed, along the
>>> line of "Why would you need to use offline access?" dismissing it as a
>>> useless feature.  This is a difficult answer to swallow if you need to
>>> use
>>> Google offline access with Keycloak.  Especially when all it would take
>>> is
>>> to add "access_type=offline" to the Google auth UR.  To be absolutely
>>> clear
>>> they devs could easily fix this, they just don't want to.
>>>
>>> So, if you have found this message, now or in the future, hoping to find
>>> a
>>> way to obtain refresh tokens from Google using Keycloak all I can do is
>>> try
>>> and spare you any more time wasted on this pursuit.  Keycloak does NOT
>>> offline access for Google IDP and therefore you cannot receive refresh
>>> tokens from Google with Keycloak, and chances are that it will NEVER
>>> support it.
>>>
>>> I wish I was wrong but it doesn't appear that way.
>>>
>>> Good Luck!
>>>
>>> Nick
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>

More information about the keycloak-user mailing list