[KEYCLOAK-10808] - Do not show authorization tab when client is not confidential

server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java

@@ -2634,6 +2634,9 @@ public class RepresentationToModel {
     }
 
     public static ResourceServer createResourceServer(ClientModel client, KeycloakSession session, boolean addDefaultRoles) {
+        if (client.isBearerOnly() || client.isPublicClient()) {
+            throw new RuntimeException("Only confidential clients are allowed to set authorization settings");
+        }
         AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
         UserModel serviceAccount = session.users().getServiceAccount(client);
 

services/src/main/java/org/keycloak/authorization/admin/ResourceServerService.java

@@ -86,10 +86,9 @@ public class ResourceServerService {
         if (this.resourceServer == null) {
             this.resourceServer = RepresentationToModel.createResourceServer(client, session, true);
             createDefaultPermission(createDefaultResource(), createDefaultPolicy());
+            audit(OperationType.CREATE, session.getContext().getUri(), newClient);
         }
 
-        audit(OperationType.CREATE, session.getContext().getUri(), newClient);
-
         return resourceServer;
     }
 

services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java

@@ -152,7 +152,6 @@ public class ClientResource {
         try {
             updateClientFromRep(rep, client, session);
             adminEvent.operation(OperationType.UPDATE).resourcePath(session.getContext().getUri()).representation(rep).success();
-            updateAuthorizationSettings(rep);
             return Response.noContent().build();
         } catch (ModelDuplicateException e) {
             return ErrorResponse.exists("Client " + rep.getClientId() + " already exists");
@@ -685,7 +684,12 @@ public class ClientResource {
             auth.clients().requireManage(client);
         }
 
+        if ((rep.isBearerOnly() != null && rep.isBearerOnly()) || (rep.isPublicClient() != null && rep.isPublicClient())) {
+            rep.setAuthorizationServicesEnabled(false);
+        }
+
         RepresentationToModel.updateClient(rep, client);
+        updateAuthorizationSettings(rep);
     }
 
     private void updateAuthorizationSettings(ClientRepresentation rep) {

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/AbstractClientTest.java

@@ -101,9 +101,9 @@ public abstract class AbstractClientTest extends AbstractAuthTest {
         return createClient(clientRep);
     }
 
-    protected String createOidcBearerOnlyClientWithAuthz(String name) {
+    protected String createOidcConfidentialClientWithAuthz(String name) {
         ClientRepresentation clientRep = createOidcClientRep(name);
-        clientRep.setBearerOnly(Boolean.TRUE);
+        clientRep.setBearerOnly(Boolean.FALSE);
         clientRep.setPublicClient(Boolean.FALSE);
         clientRep.setAuthorizationServicesEnabled(Boolean.TRUE);
         clientRep.setServiceAccountsEnabled(Boolean.TRUE);

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/InstallationTest.java

@@ -138,15 +138,16 @@ public class InstallationTest extends AbstractClientTest {
 
     @Test
     public void testOidcBearerOnlyWithAuthzJson() {
-        oidcBearerOnlyClientWithAuthzId = createOidcBearerOnlyClientWithAuthz(OIDC_NAME_BEARER_ONLY_WITH_AUTHZ_NAME);
+        oidcBearerOnlyClientWithAuthzId = createOidcConfidentialClientWithAuthz(OIDC_NAME_BEARER_ONLY_WITH_AUTHZ_NAME);
         oidcBearerOnlyClientWithAuthz = findClientResource(OIDC_NAME_BEARER_ONLY_WITH_AUTHZ_NAME);
 
         String json = oidcBearerOnlyClientWithAuthz.getInstallationProvider("keycloak-oidc-keycloak-json");
         assertOidcInstallationConfig(json);
-        assertThat(json, containsString("bearer-only"));
+        assertThat(json, not(containsString("bearer-only")));
         assertThat(json, not(containsString("public-client")));
         assertThat(json, containsString("credentials"));
         assertThat(json, containsString("secret"));
+        assertThat(json, containsString("policy-enforcer"));
 
         removeClient(oidcBearerOnlyClientWithAuthzId);
     }

testsuite/integration-arquillian/tests/other/console/src/test/java/org/keycloak/testsuite/console/authorization/AbstractAuthorizationSettingsTest.java

@@ -22,12 +22,11 @@ import static org.keycloak.testsuite.auth.page.login.Login.OIDC;
 
 import org.jboss.arquillian.graphene.page.Page;
 import org.junit.Before;
-import org.junit.BeforeClass;
 import org.keycloak.representations.idm.ClientRepresentation;
-import org.keycloak.testsuite.ProfileAssume;
 import org.keycloak.testsuite.console.clients.AbstractClientTest;
 import org.keycloak.testsuite.console.page.clients.authorization.Authorization;
 import org.keycloak.testsuite.console.page.clients.settings.ClientSettings;
+import org.keycloak.testsuite.console.page.clients.settings.ClientSettingsForm;
 import org.openqa.selenium.By;
 
 /**
@@ -56,6 +55,7 @@ public abstract class AbstractAuthorizationSettingsTest extends AbstractClientTe
         newClient.setRedirectUris(TEST_REDIRECT_URIs);
         newClient.setAuthorizationServicesEnabled(true);
 
+        clientSettingsPage.form().setAccessType(ClientSettingsForm.OidcAccessType.CONFIDENTIAL);
         clientSettingsPage.form().setRedirectUris(TEST_REDIRECT_URIs);
         clientSettingsPage.form().setAuthorizationSettingsEnabled(true);
         clientSettingsPage.form().save();

testsuite/integration-arquillian/tests/other/console/src/test/java/org/keycloak/testsuite/console/authorization/DefaultAuthorizationSettingsTest.java

@@ -17,15 +17,12 @@
 package org.keycloak.testsuite.console.authorization;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 
-import java.util.List;
-
 import org.junit.Test;
-import org.keycloak.admin.client.resource.AuthorizationResource;
 import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
-import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.authorization.DecisionStrategy;
 import org.keycloak.representations.idm.authorization.PolicyRepresentation;
 import org.keycloak.representations.idm.authorization.ResourceRepresentation;
@@ -34,6 +31,8 @@ import org.keycloak.testsuite.console.page.clients.authorization.permission.Perm
 import org.keycloak.testsuite.console.page.clients.authorization.policy.Policies;
 import org.keycloak.testsuite.console.page.clients.authorization.resource.Resources;
 import org.keycloak.testsuite.console.page.clients.authorization.scope.Scopes;
+import org.keycloak.testsuite.console.page.clients.settings.ClientSettingsForm;
+import org.openqa.selenium.By;
 
 /**
  * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
@@ -51,6 +50,27 @@ public class DefaultAuthorizationSettingsTest extends AbstractAuthorizationSetti
         assertDefaultSettings();
     }
 
+    @Test
+    public void testNotAvailableForNonConfidentialClients() {
+        clientSettingsPage.navigateTo();
+        clientSettingsPage.form().setAccessType(ClientSettingsForm.OidcAccessType.BEARER_ONLY);
+        clientSettingsPage.form().save();
+        assertAlertSuccess();
+        assertTrue(driver.findElements(By.linkText("Authorization")).isEmpty());
+        assertFalse(driver.findElements(By.xpath(".//div[@class='onoffswitch' and ./input[@id='authorizationServicesEnabled']]")).get(0).isDisplayed());
+        clientSettingsPage.form().setAccessType(ClientSettingsForm.OidcAccessType.PUBLIC);
+        clientSettingsPage.form().save();
+        assertAlertSuccess();
+        assertTrue(driver.findElements(By.linkText("Authorization")).isEmpty());
+        assertFalse(driver.findElements(By.xpath(".//div[@class='onoffswitch' and ./input[@id='authorizationServicesEnabled']]")).get(0).isDisplayed());
+        clientSettingsPage.navigateTo();
+        clientSettingsPage.form().setAccessType(ClientSettingsForm.OidcAccessType.CONFIDENTIAL);
+        clientSettingsPage.form().setAuthorizationSettingsEnabled(true);
+        clientSettingsPage.form().save();
+        authorizationPage.navigateTo();
+        assertDefaultSettings();
+    }
+
     private void assertDefaultSettings() {
         AuthorizationSettingsForm settings = authorizationPage.settings();
 

themes/src/main/resources/theme/base/admin/resources/partials/client-detail.html

@@ -132,7 +132,7 @@
                     <input ng-model="clientEdit.serviceAccountsEnabled" name="serviceAccountsEnabled" id="serviceAccountsEnabled" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
                 </div>
             </div>
-            <div class="form-group" data-ng-show="protocol == 'openid-connect'">
+            <div class="form-group" data-ng-show="protocol == 'openid-connect' && !clientEdit.publicClient && !clientEdit.bearerOnly">
                 <label class="col-md-2 control-label" for="authorizationServicesEnabled">{{:: 'authz-authorization-services-enabled' | translate}}</label>
                 <kc-tooltip>{{:: 'authz-authorization-services-enabled.tooltip' | translate}}</kc-tooltip>
                 <div class="col-md-6">