Description
Describe the bug
We're using Github (specifically a Github app) as an external IDP. We have configured Github to use expiring access tokens (good for 8 hours). When we want to get data from Github on behalf of the user, such as a list of repositories where the Github app is installed, we need a Github user-to-server access token.
We can retrieve these external IDP tokens from keycloak via this endpoint.
Unfortunately, if it has been more than 8 hours, then the access token is expired and the request to Github will fail. If I use the refresh token (which is also returned from the endpoint above), to get new tokens from Github, this works once. I get a new access and refresh token, and I can make a request to Github with the access token. However, this expires the refresh token that Keycloak has. And there doesn't seem to be a way for me to give Keycloak the new access/refresh tokens that I've retrieved on behalf of the user.
Is this just an oversight? Is there any way to use Github as an external IDP with expiring access tokens?
Version
19.0.2
Expected behavior
- Keycloak refreshes tokens before returning them from
GET /realms/{realm}/broker/{provider_alias}/token(provided the currentrefresh_tokenhas not expired).
Actual behavior
Keycloak appears to just return the exact response that it originally receives from Github, which is most likely an expired access token. If the refresh token is still good, it is worthless because using it will expire the one held in Keycloak.
How to Reproduce?
Use Github as an external IDP with expiring tokens and try to use the endpoint as described above.
Anything else?
No response