KEYCLOAK-10782: Credentials tab on clients can only be displayed with view-realm

services/src/main/java/org/keycloak/services/resources/admin/AuthenticationManagementResource.java

@@ -135,7 +135,7 @@ public class AuthenticationManagementResource {
     @NoCache
     @Produces(MediaType.APPLICATION_JSON)
     public List<Map<String, Object>> getClientAuthenticatorProviders() {
-        auth.realm().requireViewRealm();
+        auth.realm().requireViewClientAuthenticatorProviders();
 
         List<ProviderFactory> factories = session.getKeycloakSessionFactory().getProviderFactories(ClientAuthenticator.class);
         return buildProviderMetadata(factories);
@@ -1095,7 +1095,7 @@ public class AuthenticationManagementResource {
     @Produces(MediaType.APPLICATION_JSON)
     @NoCache
     public Map<String, List<ConfigPropertyRepresentation>> getPerClientConfigDescription() {
-        auth.realm().requireViewRealm();
+        auth.realm().requireViewClientAuthenticatorProviders();
 
         List<ProviderFactory> factories = session.getKeycloakSessionFactory().getProviderFactories(ClientAuthenticator.class);
 
@@ -1205,4 +1205,4 @@ public class AuthenticationManagementResource {
         realm.updateAuthenticatorConfig(exists);
         adminEvent.operation(OperationType.UPDATE).resource(ResourceType.AUTHENTICATOR_CONFIG).resourcePath(session.getContext().getUri()).representation(rep).success();
     }
-}
+}

services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmPermissionEvaluator.java

@@ -62,4 +62,6 @@ public interface RealmPermissionEvaluator {
     void requireViewRequiredActions();
 
     void requireViewAuthenticationFlows();
+
+    void requireViewClientAuthenticatorProviders();
 }

services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmPermissions.java

@@ -197,5 +197,11 @@ class RealmPermissions implements RealmPermissionEvaluator {
         }
     }
 
+    @Override
+    public void requireViewClientAuthenticatorProviders() {
+        if (!(canViewRealm() || root.hasOneAdminRole(AdminRoles.QUERY_CLIENTS, AdminRoles.VIEW_CLIENTS, AdminRoles.MANAGE_CLIENTS))) {
+            throw new ForbiddenException();
+        }
+    }
 
 }

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java

@@ -764,6 +764,32 @@ public class PermissionsTest extends AbstractKeycloakTest {
                 realm.flows().getFlows();
             }
         }, clients.get(AdminRoles.QUERY_CLIENTS), true);
+        // the same for ClientAuthenticatorProviders and PerClientConfigDescription
+        invoke(new Invocation() {
+            public void invoke(RealmResource realm) {
+                realm.flows().getClientAuthenticatorProviders();
+            }
+        }, clients.get(AdminRoles.QUERY_CLIENTS), true);
+        invoke(new Invocation() {
+            public void invoke(RealmResource realm) {
+                realm.flows().getClientAuthenticatorProviders();
+            }
+        }, clients.get(AdminRoles.VIEW_CLIENTS), true);
+        invoke(new Invocation() {
+            public void invoke(RealmResource realm) {
+                realm.flows().getClientAuthenticatorProviders();
+            }
+        }, clients.get(AdminRoles.MANAGE_CLIENTS), true);
+        invoke(new Invocation() {
+            public void invoke(RealmResource realm) {
+                realm.flows().getClientAuthenticatorProviders();
+            }
+        }, clients.get(AdminRoles.QUERY_USERS), false);
+        invoke(new Invocation() {
+            public void invoke(RealmResource realm) {
+                realm.flows().getPerClientConfigDescription();
+            }
+        }, clients.get(AdminRoles.QUERY_CLIENTS), true);
     }
 
     @Test