[keycloak-user] Keycloak Google IDP Broken & wont be fixed!
Pedro Igor Silva
psilva at redhat.com
Fri Jul 26 07:43:07 EDT 2019
Hi Nick,
Glad it worked. No worries!
Regards.
Pedro Igor
On Thu, Jul 25, 2019 at 9:34 PM Nick Powers <sshscp at gmail.com> wrote:
> It worked! With that enabled, I was able to retrieve the Google refresh
> token using:
>
> GET /auth/realms/{realm}/broker/{provider_alias}/token
> Authorization: Bearer {keycloak_access_token}
>
> Thank you sooo much! Now I feel bad for getting pissy, but I had pretty
> much given up on Keycloak at that point. Please everyone ignore my
> original post. Although it is undocumented it works exactly as Pedro has
> described.
>
> Thanks again!
>
> Nick :)
>
>
> On Thu, Jul 25, 2019 at 3:43 PM Nick Powers <sshscp at gmail.com> wrote:
>
>> Thanks for responding Pedro! I will try it with that enabled and see if
>> that helps. It does look promising! :) I'll update once I have tested it.
>>
>> Thanks again! :)
>>
>> Nick
>>
>> On Thu, Jul 25, 2019 at 3:30 PM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi Nick,
>>>
>>> Let's try to revert this. We are always trying to do our best to help
>>> people as much as we can.
>>>
>>> The documentation [1] does not seem to be updated but there is a
>>> "Request refresh token" switch in the Google Identity Provider that when
>>> enabled makes an offline request (access_type=offline as a query param).
>>>
>>> Did you try it out? The related issue is
>>> https://issues.jboss.org/browse/KEYCLOAK-6614.
>>>
>>> Please, let me know if you have issues using it. Or maybe you are facing
>>> some other issue that is blocking you to use this functionality.
>>>
>>> [1] https://www.keycloak.org/docs/latest/server_admin/index.html#google
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>> On Thu, Jul 25, 2019 at 3:35 PM Nick Powers <sshscp at gmail.com> wrote:
>>>
>>>> I ran into an issue with Google IDP & Keycloak, where offline access
>>>> cannot
>>>> be requested and therefore refresh tokens cannot be received from
>>>> Google.
>>>>
>>>> I then started researching to see if this problem have been previously
>>>> identified and resolved. Although I did find find many people
>>>> identifying
>>>> the problem who were looking for an answer in both this mailing list
>>>> and in
>>>> the keycloak dev mailing list, there was no solutions in any of those
>>>> messages. These questions spanned 4 years, and yet Google IDP remains
>>>> broken.
>>>>
>>>> When the question is posed to the user group the messages are either not
>>>> answered at all or don't provide any solutions. In the Keycloak dev
>>>> mailing list it is discussed but in general they are dismissed, along
>>>> the
>>>> line of "Why would you need to use offline access?" dismissing it as a
>>>> useless feature. This is a difficult answer to swallow if you need to
>>>> use
>>>> Google offline access with Keycloak. Especially when all it would take
>>>> is
>>>> to add "access_type=offline" to the Google auth UR. To be absolutely
>>>> clear
>>>> they devs could easily fix this, they just don't want to.
>>>>
>>>> So, if you have found this message, now or in the future, hoping to
>>>> find a
>>>> way to obtain refresh tokens from Google using Keycloak all I can do is
>>>> try
>>>> and spare you any more time wasted on this pursuit. Keycloak does NOT
>>>> offline access for Google IDP and therefore you cannot receive refresh
>>>> tokens from Google with Keycloak, and chances are that it will NEVER
>>>> support it.
>>>>
>>>> I wish I was wrong but it doesn't appear that way.
>>>>
>>>> Good Luck!
>>>>
>>>> Nick
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
More information about the keycloak-user
mailing list