New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Loosing refresh token with Google Identity Provider #25815
Comments
…lity @geoffreyfourmis issue resolved Loosing refresh token with Google Identity Provider keycloak#25815
After looking at the code and doing more tests I can provide a little bit more information about this issue. After first login using google and while keycloak still has the google refresh token I can call this endpoint without issue. Even after 1 hour the token is well refreshed by keycloak without loosing the google refresh token : String baseUrl = keycloakUrl + "/protocol/openid-connect/token";
MultiValueMap<String, String> requestBody = new LinkedMultiValueMap<>();
requestBody.add("client_id", keycloakClientId);
requestBody.add("client_secret", keycloakClientSecret);
requestBody.add("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange");
requestBody.add("subject_token_type", "urn:ietf:params:oauth:token-type:access_token");
requestBody.add("subject_token", accessToken);
requestBody.add("requested_issuer", "google"); But if I logout from my app and i log in again using google the refresh token is lost forever. This feature is used to sync calendar between my app and the user google agenda. If someone can provide me with some information about where to look I may be able to fix it but right now it seems too complicated for me. |
A little more digging on the code. if (newResponse.getRefreshToken() == null && tokenResponse.getRefreshToken() != null) {
newResponse.setRefreshToken(tokenResponse.getRefreshToken());
newResponse.setRefreshExpiresIn(tokenResponse.getRefreshExpiresIn());
} I think the same should be done in IdentityBrokerService.updateToken(). I may be able to make a PR |
…ntity Signed-off-by: Geoffrey Fourmis <geoffrey.fourmis@gmail.com>
Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment. If you are affected by this issue, upvote it by adding a 👍 to the description. We would also welcome a contribution to fix the issue. |
Before reporting an issue
Area
identity-brokering
Describe the bug
This issue relates to user authentification using google identity provider with
Request refresh token
andStore Token
activated .As state in the google documentation, they deliver a refresh token only once at the first user connexion.
At that time it is well store by keycloak in the federated_identity table. But at the second user login the refresh token is not preserved and replaced with the newly obteined json containing only the access token.
This is annoying because the only way to get the refresh token back is to ask for the user to remove the app from his google account !
Version
23.0.3
Expected behavior
Refresh token should be preserved accross user connexion
Actual behavior
Refresh token is lost after second login
How to Reproduce?
Request refresh token
andStore Token
activated. You can see the refresh token on the federated_identity table.Anything else?
No response
The text was updated successfully, but these errors were encountered: