SSO - Receiving tokens from Upstream Identity Providers

Modified on Mon, 3 Apr, 2023 at 11:20 AM

Labforward supports storing and making the tokens issued by external OAuth2 Identity Providers (IdP) accessible for the user. The related settings in the Replicated IdP configuration are:

  • storeToken: Enable/disable whether to store the tokens after authentication.
  • addReadTokenRoleOnCreate: Enable/disable if new users can read any stored tokens.

When these settings are true, the users can receive the tokens issued by the upstream IdP. The endpoint for retrieving the tokens is:

GET /realms/labforward/broker/{provider_alias}/token HTTP/1.1
Host: {iam_host}
Authorization: Bearer <IAM-ACCESS-TOKEN>

Configuring IdPs to get refresh tokens

When the default openid scope is used, the external IdPs only return access tokens. To receive a refresh token (i.e. "offline access"), IdPs must be configured accordingly.

In OpenID Connect 1.0 protocol definition, offline access is requested by passing a scope called offline_access.


OPTIONAL. This scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token that grants access to the End-User's UserInfo Endpoint even when the End-User is not present (not logged in).


Microsoft implements the OIDC protocol. When the scope is set as openid profile email offline_access, the external IdP token endpoint returns a response as follows:

GET {baseUrl}/auth/realms/labforward/broker/microsoft/token
Authorization: Bearer <IAM-ACCESS-TOKEN>

   "access_token": "EwBw...",
   "expires_in": 3600,
   "refresh_expires_in": 0,
   "refresh_token": "M.R3_BL2...",
   "token_type": "Bearer",
   "id_token": "eyJ0eXA...",
   "not-before-policy": 0,
   "scope": "openid profile email",
   "accessTokenExpiration": 1651593190,
   "ext_expires_in": 3600


Google does not implement the default OIDC protocol. It expects an extra HTTP query parameter access_type=offline to return a refresh token. This needs to be set in the IdP scope settings.

Also, Google returns the refresh token only during the first authentication for the app. To re-issue a refresh token, the user needs to:

GET {baseUrl}/auth/realms/labforward/broker/google/token
Authorization: Bearer <IAM-ACCESS-TOKEN>

   "access_token": "ya29.A0A...",
   "expires_in": 3599,
   "refresh_expires_in": 0,
   "refresh_token": "1//09X8...",
   "token_type": "Bearer",
   "id_token": "eyJ...",
   "not-before-policy": 0,
   "scope": " \ openid",
   "accessTokenExpiration": 1651593062

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article