Why Is Keycloak Not Fetching Gender and Birthday from Google Identity Provider?

Below is an analysis of why the extended attributes such as gender and birthday might not be retrieved, along with suggestions for how to address the issue:

Why This Happens

• Google’s User Info Endpoint Limitations:
  Although you’ve added the extended scopes (user.gender.read and user.birthday.read), Google does not include these fields in the standard OpenID Connect user info response. Keycloak, by default, uses the user info endpoint (or the claims in the ID token) to map attributes. In contrast, tools like OAuth 2.0 Playground may be explicitly invoking the People API (or other endpoints) that return the extra details.

• Endpoint and API Version Differences:
  Google has been transitioning many profile details to be accessible only via the People API. Keycloak’s built‐in Google Identity Provider may not be configured to automatically make additional API calls beyond the default endpoints, so even though the scopes are granted, the necessary information isn’t fetched.

• Mapping Limitations:
  The mappers you set up in Keycloak expect the data to exist in the response from Google. Since the gender and birthday fields are not part of that response (unless explicitly fetched using the appropriate API), the mappers have nothing to map, resulting in null values.

What You Can Do

1. Verify Consent & API Configuration on Google Console:

   • Make sure that your Google application (OAuth Consent Screen) has been configured to allow these scopes and that users are consenting to them.
   • Note that even with consent, Google may still only return extra fields via the People API.

2. Customizing the Identity Provider in Keycloak:

   • You might need to extend Keycloak’s default behavior by creating a custom identity provider mapper.
   • Such a mapper could make an additional request to the People API to fetch details that are not returned from the default user info endpoint.

   Example Outline for a Custom Mapper:

   JAVACopied
   public class GooglePeopleAPIGenderBirthdayMapper extends AbstractIdentityProviderMapper {
       // Define your mapper’s configuration and implement methods that:
       // 1. Extract the access token from the authentication context.
       // 2. Use the token to perform a request to the Google People API.
       // 3. Parse the response to retrieve gender and birthday.
       // 4. Set these attributes on the Keycloak user.
   }

   • You would then deploy this as a custom provider in Keycloak so that, during login, the additional call is made to fetch these values.

3. Check for Community or Plugin Solutions:

   • Sometimes community-contributed mappers or plugins exist for scenarios like this. Verify if there’s an updated version or a community extension that already handles People API integration for Google.

Summary

The main reason Keycloak is not retrieving gender and birthday is that these fields aren’t included in the standard response from Google’s OpenID Connect endpoints. Though you have added the necessary scopes and mappers, Keycloak isn’t automatically calling the People API where these fields are available. The solution involves either adjusting your Google API configurations (if available) or extending Keycloak with a custom mapper that retrieves the additional attributes from the People API.

By addressing these points, you should be able to fetch and map the gender and birthday attributes successfully.