Identity Provider secret visible in Organization tab (API request)

Closes #32486

Signed-off-by: Martin Kanis <mkanis@redhat.com>

services/src/main/java/org/keycloak/organization/admin/resource/OrganizationIdentityProvidersResource.java

@@ -29,7 +29,6 @@ import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.Response.Status;
 import jakarta.ws.rs.ext.Provider;
 
-import java.util.Objects;
 import java.util.stream.Stream;
 
 import org.eclipse.microprofile.openapi.annotations.Operation;
@@ -42,6 +41,7 @@ import org.keycloak.models.ModelException;
 import org.keycloak.models.OrganizationModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.utils.ModelToRepresentation;
+import org.keycloak.models.utils.StripSecretsUtils;
 import org.keycloak.organization.OrganizationProvider;
 import org.keycloak.representations.idm.IdentityProviderRepresentation;
 import org.keycloak.services.ErrorResponse;
@@ -117,7 +117,7 @@ public class OrganizationIdentityProvidersResource {
             throw ErrorResponse.error("Identity provider not associated with the organization", Status.NOT_FOUND);
         }
 
-        return ModelToRepresentation.toRepresentation(realm, broker);
+        return toRepresentation(broker);
     }
 
     @Path("{alias}")
@@ -142,7 +142,7 @@ public class OrganizationIdentityProvidersResource {
     }
 
     private IdentityProviderRepresentation toRepresentation(IdentityProviderModel idp) {
-        return ModelToRepresentation.toRepresentation(realm, idp);
+        return StripSecretsUtils.stripSecrets(session, ModelToRepresentation.toRepresentation(realm, idp));
     }
 
     private boolean isOrganizationBroker(IdentityProviderModel broker) {

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/broker/OrganizationOIDCBrokerSelfRegistrationTest.java

@@ -17,10 +17,31 @@
 
 package org.keycloak.testsuite.organization.broker;
 
+import org.junit.Test;
+import org.keycloak.admin.client.resource.OrganizationResource;
 import org.keycloak.common.Profile.Feature;
+import org.keycloak.representations.idm.IdentityProviderRepresentation;
 import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
 
+import java.util.List;
+
+import static org.junit.Assert.assertEquals;
+
 @EnableFeature(Feature.ORGANIZATION)
 public class OrganizationOIDCBrokerSelfRegistrationTest extends AbstractBrokerSelfRegistrationTest {
 
+    @Test
+    public void testMaskedSecretInIDPRepresentation() {
+        OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
+        List<IdentityProviderRepresentation> identityProviders = organization.identityProviders().getIdentityProviders();
+
+        String maskedSecret = "**********";
+
+        identityProviders.forEach(idp -> assertEquals(maskedSecret, idp.getConfig().get("clientSecret")));
+
+        identityProviders.stream().map(IdentityProviderRepresentation::getAlias).forEach(alias -> {
+            IdentityProviderRepresentation rep = organization.identityProviders().get(alias).toRepresentation();
+            assertEquals(maskedSecret, rep.getConfig().get("clientSecret"));
+        });
+    }
 }