This extension for Keycloak,
enables token-exchange
for the IdToken
supplied
by Sign in with Google One-Tap SDKs.
If you're using Google One-Tap to Sign in with Google SDKs for web or native apps then you get
an id-token. Keycloak doesn't support exchanging this token for an
accessToken
of it's own using token-exchange
. This extension provides a Google One-Tap Identity provider which
supports this.
The extension uses the Google Client API library to verify the authenticity of the token. The extension also packages the Google Client API library and is supplied as a shadow jar.
- Deploy
by adding jar to
/opt/keycloak/providers/
- Restart Keycloak.
If you're using docker, you can install the provider by adding it to
ADD --chown=keycloak:keycloak https://github.com/avatsav/keycloak-google-one-tap/releases/download/{version}/apple-identity-provider-{version}.jar /opt/keycloak/providers/apple-identity-provider-{verison}.jar
The version of this library mirrors the compatible keycloak version, so you can find the right version that suits your keycloak version in the releases.
Note
Starting Keycloak v21
since some additional properties such
as Hosted Domain
, Use userIp param
and Request refresh token
are not displayed in the Admin UI when configuring the extension.