Feature flag DPoP metadata in OIDC Well Known endpoint

Closes keycloak/keycloak#24547

Signed-off-by: Joshua Sorah <jsorah@gmail.com>

services/src/main/java/org/keycloak/protocol/oidc/OIDCWellKnownProvider.java

@@ -196,7 +196,9 @@ public class OIDCWellKnownProvider implements WellKnownProvider {
         // https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-6.2
         config.setTlsClientCertificateBoundAccessTokens(true);
 
-        config.setDpopSigningAlgValuesSupported(new ArrayList<>(DPoPUtil.DPOP_SUPPORTED_ALGS));
+        if (Profile.isFeatureEnabled(Profile.Feature.DPOP)) {
+            config.setDpopSigningAlgValuesSupported(new ArrayList<>(DPoPUtil.DPOP_SUPPORTED_ALGS));
+        }
 
         URI revocationEndpoint = frontendUriBuilder.clone().path(OIDCLoginProtocolService.class, "revoke")
             .build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL);

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCWellKnownProviderTest.java

@@ -69,6 +69,7 @@ import java.util.Map;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertNull;
 
 /**
  * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
@@ -218,9 +219,9 @@ public class OIDCWellKnownProviderTest extends AbstractKeycloakTest {
             assertTrue(oidcConfig.getFrontChannelLogoutSessionSupported());
             assertTrue(oidcConfig.getFrontChannelLogoutSupported());
 
-            // DPoP
-            Assert.assertNames(oidcConfig.getDpopSigningAlgValuesSupported(), Algorithm.PS256, Algorithm.PS384, Algorithm.PS512,
-                    Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512);
+            // DPoP - negative test for preview profile - see testDpopSigningAlgValuesSupportedWithDpop for actual test
+            assertNull("dpop_signing_alg_values_supported should not be present unless DPoP feature is enabled",
+                    oidcConfig.getDpopSigningAlgValuesSupported());
         } finally {
             client.close();
         }
@@ -401,6 +402,22 @@ public class OIDCWellKnownProviderTest extends AbstractKeycloakTest {
         }
     }
 
+    @Test
+    @EnableFeature(value = Profile.Feature.DPOP, skipRestart = true)
+    public void testDpopSigningAlgValuesSupportedWithDpop() throws IOException {
+        Client client = AdminClientUtil.createResteasyClient();
+
+        try {
+            OIDCConfigurationRepresentation oidcConfig = getOIDCDiscoveryRepresentation(client, OAuthClient.AUTH_SERVER_ROOT);
+
+            // DPoP
+            Assert.assertNames(oidcConfig.getDpopSigningAlgValuesSupported(), Algorithm.PS256, Algorithm.PS384, Algorithm.PS512,
+                    Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512);
+        } finally {
+            client.close();
+        }
+    }
+
     private void assertScopesSupportedMatchesWithRealm(OIDCConfigurationRepresentation oidcConfig) {
         Assert.assertNames(oidcConfig.getScopesSupported(), OAuth2Constants.SCOPE_OPENID, OAuth2Constants.OFFLINE_ACCESS,
                 OAuth2Constants.SCOPE_PROFILE, OAuth2Constants.SCOPE_EMAIL, OAuth2Constants.SCOPE_PHONE, OAuth2Constants.SCOPE_ADDRESS, OIDCLoginProtocolFactory.ACR_SCOPE,