connectors: implement refreshing with Google
ericchiang opened this issue · 4 comments
When a user log in through dex into Google, dex should be able to refresh the user's info with Google when client of dex refreshes it's id_token.
This is complicated because Google only allows a single refresh token out per client <-> end user pair, so we'd have to store connector data in our "offlinesessions" object globally, instead of in the refresh data like we do now.
Also is this general enough to do for all oidc providers, or just Google? Investigate.
This is very likely to be applicable to other OIDC providers, as most of them allow users to "delete Tokens granted to Applications", signifying that only one is issued.
FYI I brain dumped a lot of my thoughts about this here: https://docs.google.com/document/d/14XaHtY_JDU_fT1CfhFHewKvosPCbmyf8fD4S5UnsG2o/edit?usp=sharing
It's a long doc, but hopefully articulates the refactors that need to happen to support this feature.
We could create a copy of the current oidc connector named google, which does not support Refresh(), and expand the oidc connector to do support refresh_tokens and groups, I suppose? 🤔 @ericchiang what do you think? This could unblock #1065 without solving the google-specific issue...
I think we still have the issue that providers can return refresh tokens that invalidate previously requested tokens. Right now the connector data is per user / Dex client pair. So if a user logs in to client A then client B, the refresh token dex gets for client B could invalidate the upstream refresh token dex got for client A.
Making that data global to the user, so client A and client B actually use the same upstream refresh token from the provider is probably still a requirement.