Google refresh token: 'failed to refresh identity: missing "name" claim'

[candlerb]

Testing Dex using a config based on examples/config-dev.yaml and the example-app. I built from today's git head with go1.14.3.

I activated the Google section, configured clientID and clientSecret obtained from console.developers.google.com, and I can successfully login using my gmail account. The example app shows:

ID Token:
...
Access Token:
...
Claims:
{
  "iss": "http://<mydomain>:5556/dex",
  "sub": "<mysub>",
  "aud": "example-app",
  "exp": 1589970400,
  "iat": 1589884000,
  "at_hash": "IwE6FNaS54ZP-HqCTl-qVA",
  "email": "<myemail>",
  "email_verified": true,
  "name": "Brian Candler"
}
Refresh Token:
...

However, if I click the "Redeem refresh token" button, the example app immediately returns:

failed to get token: oauth2: cannot fetch token: 500 Internal Server Error
Response: {"error":"server_error"}

and the Dex server process logs:

time="2020-05-19T10:30:09Z" level=error msg="failed to refresh identity: missing \"name\" claim"

Token refreshing does work with the "mock" connector and the "local" connector, so this seems to be something specific to Google.

I added some debug:

--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -270,7 +270,7 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
        }
        name, found := claims[userNameKey].(string)
        if !found {
-               return identity, fmt.Errorf("missing \"%s\" claim", userNameKey)
+               return identity, fmt.Errorf("missing \"%s\" claim. Claims: %v", userNameKey, claims)
        }

        hasEmailScope := false

and I can see the response indeed doesn't include a "name" claim.

time="2020-05-19T11:03:59Z" level=error msg="failed to refresh identity: missing \"name\" claim. Claims: map[at_hash:Ud9DX4GxpF_cesazD7Wz0Q aud:XXXXX.apps.googleusercontent.com azp:XXXXX.apps.googleusercontent.com email:<myemail> email_verified:true exp:1.589889839e+09 iat:1.589886239e+09 iss:https://accounts.google.com sub:XXXXX]"

Is this a known limitation with Google? I wonder if there is some solution for token refresh here, perhaps maintaining the existing "name" claim from the initial authentication if the refresh doesn't supply it? Or just make it completely optional?

I note from Google's documentation:

name - The user's full name, in a displayable form. Might be provided when:

• The request scope included the string "profile"
• The ID token is returned from a token refresh

When name claims are present, you can use them to update your app's user records. Note that this claim is never guaranteed to be present. [my emphasis]

[candlerb]

Possibly this is because I'm using type: oidc which comes straight from the config-dev.yaml sample file:

- type: oidc  <<<
  id: google
  name: Google

However, changing to type: google doesn't work without a hosted domain and a delegated API user. Dex tries to open the empty filename:

failed to initialize server: server: Failed to open connector google: failed to open connector: 
failed to create connector google: could not create directory service: 
error reading credentials from file: open : no such file or directory