/clients-registrations API doesn't return secret anymore and is not c…

…oherent keycloak#11116

/clients-registrations API doesn't return secret anymore and is not coherent

fixing merge

/clients-registrations API doesn't return secret anymore and is not coherent

fixing test that was failing

Replace tabs with regular spaces

fixing identation

/clients-registrations API doesn't return secret anymore and is not coherent. Closes keycloak#11116

fixing test that was failing

.gitignore

@@ -80,3 +80,4 @@ quarkus/data/*.db
 ###############################
 
 /integration/admin-client-jakarta/src/
+/.metadata/

server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java

@@ -690,6 +690,13 @@ public static ClientRepresentation toRepresentation(ClientModel clientModel, Key
         rep.setNotBefore(clientModel.getNotBefore());
         rep.setNodeReRegistrationTimeout(clientModel.getNodeReRegistrationTimeout());
         rep.setClientAuthenticatorType(clientModel.getClientAuthenticatorType());
+
+        // adding the secret if non public or bearer only
+        if (clientModel.isBearerOnly() || clientModel.isPublicClient()) {
+            rep.setSecret(null);
+        } else {
+            rep.setSecret(clientModel.getSecret());
+        }
 
         rep.setDefaultClientScopes(new LinkedList<>(clientModel.getClientScopes(true).keySet()));
         rep.setOptionalClientScopes(new LinkedList<>(clientModel.getClientScopes(false).keySet()));

server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java

@@ -28,6 +28,7 @@
 import java.util.ListIterator;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.Objects;
 import java.util.Set;
 import java.util.function.Function;
 import java.util.stream.Collectors;
@@ -1431,7 +1432,16 @@ private static ClientModel createClient(KeycloakSession session, RealmModel real
             client.setClientAuthenticatorType(KeycloakModelUtils.getDefaultClientAuthenticatorType());
         }
 
-        client.setSecret(resourceRep.getSecret());
+        // adding secret if the client isn't public nor bearer only
+        if (Objects.nonNull(resourceRep.getSecret())) {
+            client.setSecret(resourceRep.getSecret());
+        } else {
+            if (client.isPublicClient() || client.isBearerOnly()) {
+                client.setSecret(null);
+            } else {
+                KeycloakModelUtils.generateSecret(client);
+            }
+        }
 
         if (resourceRep.getAttributes() != null) {
             for (Map.Entry<String, String> entry : resourceRep.getAttributes().entrySet()) {

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ClientTest.java

@@ -100,6 +100,7 @@ private ClientRepresentation createClient() {
         rep.setClientId("my-app");
         rep.setDescription("my-app description");
         rep.setEnabled(true);
+        rep.setPublicClient(true);
         Response response = realm.clients().create(rep);
         response.close();
         String id = ApiUtil.getCreatedId(response);
@@ -113,6 +114,37 @@ private ClientRepresentation createClient() {
 
         return rep;
     }
+
+    private ClientRepresentation createClientNonPublic() {
+        ClientRepresentation rep = new ClientRepresentation();
+        rep.setClientId("my-app");
+        rep.setDescription("my-app description");
+        rep.setEnabled(true);
+        rep.setPublicClient(false);
+        Response response = realm.clients().create(rep);
+        response.close();
+        String id = ApiUtil.getCreatedId(response);
+        getCleanup().addClientUuid(id);
+        ClientRepresentation found = ApiUtil.findClientResourceByClientId(realm, "my-app").toRepresentation();
+
+        assertEquals("my-app", found.getClientId());
+        assertAdminEvents.assertEvent(realmId, OperationType.CREATE, AdminEventPaths.clientResourcePath(id), rep, ResourceType.CLIENT);
+
+        rep.setId(id);
+
+        return rep;
+    }
+
+    @Test
+    @AuthServerContainerExclude(AuthServer.REMOTE)
+    public void createClientVerifyWithSecret() {
+        String id = createClientNonPublic().getId();
+
+        ClientResource client = realm.clients().get(id);
+        assertNotNull(client);
+        assertNotNull(client.toRepresentation().getSecret());
+        Assert.assertNames(realm.clients().findAll(), "account", "account-console", "realm-management", "security-admin-console", "broker", "my-app", Constants.ADMIN_CLI_CLIENT_ID);
+    }
 
     @Test
     @AuthServerContainerExclude(AuthServer.REMOTE)

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java

@@ -266,7 +266,8 @@ public void createClientImplicitFlow() throws ClientRegistrationException {
         String clientId = response.getClientId();
         ClientRepresentation kcClientRep = getKeycloakClient(clientId);
         Assert.assertFalse(kcClientRep.isPublicClient());
-        Assert.assertNull(kcClientRep.getSecret());
+        Assert.assertFalse(kcClientRep.isBearerOnly());
+        Assert.assertNotNull(kcClientRep.getSecret());
     }
 
     @Test