Google broker and token refresh

yo-grd · March 5, 2026, 2:15pm

Hello,

We use Keycloak for authentication via our Google accounts in our Angular application (via keycloak-js).
No problem, it works perfectly.

We now want to use the Google token to call Google APIs directly.

So we call the broker endpoint to retrieve a token (store token on, api scopes, prompt consent, access_type offline).
This works very well… for 1 hour.

After that, the Google token expires, and Keycloak always returns the same one even we recalls broker token endpoint and we get 401 from Google.

The only way to get a new token is to destroy the Keycloak session (delete the cookies).
I don’t understand why.

Thanks.

dasniko · March 6, 2026, 8:52pm

Which version of Keycloak do you run?
There was an enhancement in 26.4: External IDP tokens are not refreshed automatically for OAuth2 & OIDC IDPs when retrieving the external token · Issue #14644 · keycloak/keycloak · GitHub
I don’t know if this fixes your issue.
There’s a follow up, not yet fixed: Make sure refreshing external tokens possible · Issue #46582 · keycloak/keycloak · GitHub

Topic		Replies	Views
Using Token Exchange to refresh 3rd party IDP Access Token Securing applications oidc	4	2148	January 4, 2024
KeyCloak does not refresh External IDP Token Getting advice	3	1367	March 4, 2024
Refresh identity provider token	0	704	May 19, 2022
Keycloak only gets Google refresh token on first login Getting advice	0	667	September 3, 2020
Invalid_token error when exchanging google id_token for a set of keycloak tokens Getting advice authentication , oidc	2	3358	December 17, 2021

Google broker and token refresh

Related topics