[KEYCLOAK-18860] - Fixing attributes returned from user api

services/src/main/java/org/keycloak/services/resources/admin/UserResource.java

@@ -285,11 +285,10 @@ public class UserResource {
 
         UserProfileProvider provider = session.getProvider(UserProfileProvider.class);
         UserProfile profile = provider.create(USER_API, user);
+        Map<String, List<String>> readableAttributes = profile.getAttributes().getReadable(false);
 
-        Map<String, List<String>> attributes = profile.getAttributes().getReadable(false);
+        if (rep.getAttributes() != null) {
-
+            rep.setAttributes(readableAttributes);
-        if (!attributes.isEmpty()) {
-            rep.setAttributes(attributes);
         }
 
         return rep;

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/DeclarativeUserTest.java

@@ -1,6 +1,7 @@
 package org.keycloak.testsuite.admin;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
@@ -39,6 +40,7 @@ public class DeclarativeUserTest extends AbstractAdminTest {
                 + "{\"name\": \"lastName\", " + PERMISSIONS_ALL + "},"
                 + "{\"name\": \"aName\", " + PERMISSIONS_ALL + "},"
                 + "{\"name\": \"custom-a\", " + PERMISSIONS_ALL + "},"
+                + "{\"name\": \"custom-hidden\"},"
                 + "{\"name\": \"attr1\", " + PERMISSIONS_ALL + "},"
                 + "{\"name\": \"attr2\", " + PERMISSIONS_ALL + "}]}");
     }
@@ -66,6 +68,37 @@ public class DeclarativeUserTest extends AbstractAdminTest {
         assertTrue(attributes.containsKey("aName"));
     }
 
+    @Test
+    public void testDoNotReturnAttributeIfNotReadble() {
+        UserRepresentation user1 = new UserRepresentation();
+        user1.setUsername("user1");
+        user1.singleAttribute("attr1", "value1user1");
+        user1.singleAttribute("attr2", "value2user1");
+        String user1Id = createUser(user1);
+
+        user1 = realm.users().get(user1Id).toRepresentation();
+        Map<String, List<String>> attributes = user1.getAttributes();
+        assertEquals(4, attributes.size());
+        assertFalse(attributes.containsKey("custom-hidden"));
+
+        setUserProfileConfiguration(this.realm, "{\"attributes\": ["
+                + "{\"name\": \"username\", " + PERMISSIONS_ALL + "},"
+                + "{\"name\": \"firstName\", " + PERMISSIONS_ALL + "},"
+                + "{\"name\": \"email\", " + PERMISSIONS_ALL + "},"
+                + "{\"name\": \"lastName\", " + PERMISSIONS_ALL + "},"
+                + "{\"name\": \"aName\", " + PERMISSIONS_ALL + "},"
+                + "{\"name\": \"custom-a\", " + PERMISSIONS_ALL + "},"
+                + "{\"name\": \"custom-hidden\", " + PERMISSIONS_ALL + "},"
+                + "{\"name\": \"attr1\", " + PERMISSIONS_ALL + "},"
+                + "{\"name\": \"attr2\", " + PERMISSIONS_ALL + "}]}");
+
+
+        user1 = realm.users().get(user1Id).toRepresentation();
+        attributes = user1.getAttributes();
+        assertEquals(5, attributes.size());
+        assertTrue(attributes.containsKey("custom-hidden"));
+    }
+
     private String createUser(UserRepresentation userRep) {
         Response response = realm.users().create(userRep);
         String createdId = ApiUtil.getCreatedId(response);