fix(google): preserve username when absent in refresh token (#4758)

hisamafahri · web-flow · commit 98c0b47a54b2 · 2026-04-28T08:27:09.000+02:00
Google sometimes does not return username and other claims during token refresh, which is correct according to OIDC spec. Instead of calling the userinfo endpoint (which Google throttles more aggressively), preserve the previous username if absent in the refreshed ID token. This fix is specific to the Google connector and does not modify the general refresh flow. Fixes #4458 Signed-off-by: Hisam Fahri <iam@hisamafahri.com>
diff --git a/connector/google/google.go b/connector/google/google.go
@@ -247,6 +247,15 @@ func (c *googleConnector) createIdentity(ctx context.Context, identity connector
 		return identity, fmt.Errorf("oidc: failed to decode claims: %v", err)
 	}
 
+	// Google sometimes do not return username and other claims. It is correct, according to OIDC spec.
+	// One option to solve this is to call the user endpoint, but Google throttles it more aggressive than
+	// the token endpoint. For concurrent refreshes it is an unwanted behavior.
+	// As a tradeoff, dex preserves previous username and preferred username if absent in the ide token
+	// as a way to keep the claims and do not call the userinfo endpoint.
+	if claims.Username == "" {
+		claims.Username = identity.Username
+	}
+
 	if len(c.hostedDomains) > 0 {
 		found := false
 		for _, domain := range c.hostedDomains {
