Refresh token with Google giving 'failed to refresh identity: missing "name" claim'

235 views
Skip to first unread message

Brian Candler

unread,
May 19, 2020, 6:48:27 AM5/19/20
to dex-dev
I am trying out Dex using a config based on examples/config-dev.yaml plus the example-app.  I built from today's git head with go1.14.3.

I activated the Google section, configured clientID and clientSecret obtained from console.developers.google.com, and I can successfully login using my gmail account.  The example app shows:

ID Token:

...

Access Token:

...

Claims:

{
  "iss": "http://<mydomain>:5556/dex",
  "sub": "<mysub>",
  "aud": "example-app",
  "exp": 1589970400,
  "iat": 1589884000,
  "at_hash": "IwE6FNaS54ZP-HqCTl-qVA",
  "email": "<myemail>",
  "email_verified": true,
  "name": "Brian Candler"
}

Refresh Token:

...

However, if I click the "Redeem refresh token" button, the example app immediately returns:

failed to get token: oauth2: cannot fetch token: 500 Internal Server Error
Response: {"error":"server_error"}

and the Dex server process logs:

time="2020-05-19T10:30:09Z" level=error msg="failed to refresh identity: missing \"name\" claim"

Is this normal with Google as the upstream IDP?  Token refreshing does work with the "mock" connector and the "local" connector.

I did find an issue relating to refresh tokens with Google: https://github.com/dexidp/dex/issues/863 - but as this is closed, I thought this has been solved.

Thanks,

Brian.

Brian Candler

unread,
May 19, 2020, 7:17:22 AM5/19/20
to dex-dev
I added some debug:

--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -270,7 +270,7 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
        }
        name, found := claims[userNameKey].(string)
        if !found {
-               return identity, fmt.Errorf("missing \"%s\" claim", userNameKey)
+               return identity, fmt.Errorf("missing \"%s\" claim. Claims: %v", userNameKey, claims)
        }

        hasEmailScope := false

and I can see the response indeed doesn't include a "name" claim.

time="2020-05-19T11:03:59Z" level=error msg="failed to refresh identity: missing \"name\" claim. Claims: map[at_hash:Ud9DX4GxpF_cesazD7Wz0Q aud:XXXXX.apps.googleusercontent.com azp:XXXXX.apps.googleusercontent.com email:<myemail> email_verified:true exp:1.589889839e+09 iat:1.589886239e+09 iss:https://accounts.google.com sub:XXXXX]"

But I'm at the limit of my OIDC knowledge here.  I note from Google's documentation:

nameThe user's full name, in a displayable form. Might be provided when:
  • The request scope included the string "profile"
  • The ID token is returned from a token refresh

When name claims are present, you can use them to update your app's user records. Note that this claim is never guaranteed to be present. [my emphasis]


Perhaps it would be possible to keep the original Name claim if the refresh doesn't provide it?

Regards,

Brian.

Brian Candler

unread,
Jun 7, 2020, 4:11:37 AM6/7/20
to dex-dev
For completeness: I was able to resolve this by changing the connector type from "oidc" to "google".  However the "google" connector, when used without hosted domain credentials for group lookup, requires a small patch to make it work:
Reply all
Reply to author
Forward
0 new messages