Identity Provider secret visible in Organization tab (API request)

Closes #32486 Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-08-30 11:44:29 +02:00 · 2024-08-30 11:44:29 +02:00 · e7d71d43c3
commit e7d71d43c3
parent 7019287a67
2 changed files with 24 additions and 3 deletions
--- a/services/src/main/java/org/keycloak/organization/admin/resource/OrganizationIdentityProvidersResource.java
+++ b/services/src/main/java/org/keycloak/organization/admin/resource/OrganizationIdentityProvidersResource.java
@ -29,7 +29,6 @@ import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.Response.Status;
 import jakarta.ws.rs.ext.Provider;

-import java.util.Objects;
 import java.util.stream.Stream;

 import org.eclipse.microprofile.openapi.annotations.Operation;
@ -42,6 +41,7 @@ import org.keycloak.models.ModelException;
 import org.keycloak.models.OrganizationModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.utils.ModelToRepresentation;
+import org.keycloak.models.utils.StripSecretsUtils;
 import org.keycloak.organization.OrganizationProvider;
 import org.keycloak.representations.idm.IdentityProviderRepresentation;
 import org.keycloak.services.ErrorResponse;
@ -117,7 +117,7 @@ public class OrganizationIdentityProvidersResource {
            throw ErrorResponse.error("Identity provider not associated with the organization", Status.NOT_FOUND);
        }

-        return ModelToRepresentation.toRepresentation(realm, broker);
+        return toRepresentation(broker);
    }

    @Path("{alias}")
@ -142,7 +142,7 @@ public class OrganizationIdentityProvidersResource {
    }

    private IdentityProviderRepresentation toRepresentation(IdentityProviderModel idp) {
-        return ModelToRepresentation.toRepresentation(realm, idp);
+        return StripSecretsUtils.stripSecrets(session, ModelToRepresentation.toRepresentation(realm, idp));
    }

    private boolean isOrganizationBroker(IdentityProviderModel broker) {
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/broker/OrganizationOIDCBrokerSelfRegistrationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/broker/OrganizationOIDCBrokerSelfRegistrationTest.java
@ -17,10 +17,31 @@

 package org.keycloak.testsuite.organization.broker;

+import org.junit.Test;
+import org.keycloak.admin.client.resource.OrganizationResource;
 import org.keycloak.common.Profile.Feature;
+import org.keycloak.representations.idm.IdentityProviderRepresentation;
 import org.keycloak.testsuite.arquillian.annotation.EnableFeature;

+import java.util.List;
+
+import static org.junit.Assert.assertEquals;
+
@EnableFeature(Feature.ORGANIZATION)
 public class OrganizationOIDCBrokerSelfRegistrationTest extends AbstractBrokerSelfRegistrationTest {

+    @Test
+    public void testMaskedSecretInIDPRepresentation() {
+        OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
+        List<IdentityProviderRepresentation> identityProviders = organization.identityProviders().getIdentityProviders();
+
+        String maskedSecret = "**********";
+
+        identityProviders.forEach(idp -> assertEquals(maskedSecret, idp.getConfig().get("clientSecret")));
+
+        identityProviders.stream().map(IdentityProviderRepresentation::getAlias).forEach(alias -> {
+            IdentityProviderRepresentation rep = organization.identityProviders().get(alias).toRepresentation();
+            assertEquals(maskedSecret, rep.getConfig().get("clientSecret"));
+        });
+    }
 }