KEYCLOAK-6614: Support requesting refresh tokens from Google using access_type=offline

services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java

@@ -44,6 +44,8 @@ public class GoogleIdentityProvider extends OIDCIdentityProvider implements Soci
     public static final String DEFAULT_SCOPE = "openid profile email";
 
     private static final String OIDC_PARAMETER_HOSTED_DOMAINS = "hd";
+    private static final String OIDC_PARAMETER_ACCESS_TYPE = "access_type";
+    private static final String ACCESS_TYPE_OFFLINE = "offline";
 
     public GoogleIdentityProvider(KeycloakSession session, GoogleIdentityProviderConfig config) {
         super(session, config);
@@ -93,12 +95,17 @@ public class GoogleIdentityProvider extends OIDCIdentityProvider implements Soci
     @Override
     protected UriBuilder createAuthorizationUrl(AuthenticationRequest request) {
         UriBuilder uriBuilder = super.createAuthorizationUrl(request);
-        String hostedDomain = ((GoogleIdentityProviderConfig) getConfig()).getHostedDomain();
+        final GoogleIdentityProviderConfig googleConfig = (GoogleIdentityProviderConfig) getConfig();
+        String hostedDomain = googleConfig.getHostedDomain();
 
         if (hostedDomain != null) {
             uriBuilder.queryParam(OIDC_PARAMETER_HOSTED_DOMAINS, hostedDomain);
         }
-
+        
+        if (googleConfig.isOfflineAccess()) {
+            uriBuilder.queryParam(OIDC_PARAMETER_ACCESS_TYPE, ACCESS_TYPE_OFFLINE);
+        }
+        
         return uriBuilder;
     }
 

services/src/main/java/org/keycloak/social/google/GoogleIdentityProviderConfig.java

@@ -47,4 +47,12 @@ public class GoogleIdentityProviderConfig extends OIDCIdentityProviderConfig {
         getConfig().put("hostedDomain", hostedDomain);
     }
 
+    public boolean isOfflineAccess() {
+        String offlineAccess = getConfig().get("offlineAccess");
+        return offlineAccess == null ? false : Boolean.valueOf(offlineAccess);
+    }
+    
+    public void setOfflineAccess(boolean offlineAccess) {
+        getConfig().put("offlineAccess", String.valueOf(offlineAccess));
+    }
 }

themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties

@@ -541,6 +541,8 @@ disableUserInfo=Disable User Info
 identity-provider.disableUserInfo.tooltip=Disable usage of User Info service to obtain additional user information?  Default is to use this OIDC service.
 userIp=Use userIp Param
 identity-provider.google-userIp.tooltip=Set 'userIp' query parameter when invoking on Google's User Info service.  This will use the user's ip address.  Useful if Google is throttling access to the User Info service.
+offlineAccess=Request refresh token
+identity-provider.google-offlineAccess.tooltip=Set 'access_type' query parameter to 'offline' when redirecting to google authorization endpoint, to get a refresh token back. Useful if planning to use Token Exchange to retrieve Google token to access Google APIs when the user is not at the browser.
 hostedDomain=Hosted Domain
 identity-provider.google-hostedDomain.tooltip=Set 'hd' query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak validates that the returned identity token has a claim for this domain. When '*' is entered any hosted account can be used.
 sandbox=Target Sandbox

themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-google-ext.html

@@ -12,3 +12,10 @@
     </div>
     <kc-tooltip>{{:: 'identity-provider.google-userIp.tooltip' | translate}}</kc-tooltip>
 </div>
+<div class="form-group">
+    <label class="col-md-2 control-label" for="offlineAccess">{{:: 'offlineAccess' | translate}}</label>
+    <div class="col-md-6">
+        <input ng-model="identityProvider.config.offlineAccess" id="offlineAccess" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
+    </div>
+    <kc-tooltip>{{:: 'identity-provider.google-offlineAccess.tooltip' | translate}}</kc-tooltip>
+</div>