[PR #8735/57e28e5a backport][stable-8] keycloak_identity_provider: ge…

…t cleartext clientsecret (#8743)

keycloak_identity_provider: get cleartext clientsecret (#8735)

* get cleartext `clientSecret` from full realm info

* add mock get_realm call to existing tests; add new no_change_when_present test

* add changelog fragment

* remove blank lines

* Update changelog.

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 57e28e5)

Co-authored-by: fgruenbauer <gruenbauer@b1-systems.de>

changelogs/fragments/8735-keycloak_identity_provider-get-cleartext-secret-from-realm-info.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - keycloak_user_federation - get cleartext IDP ``clientSecret`` from full realm info to detect changes to it (https://github.com/ansible-collections/community.general/issues/8294, https://github.com/ansible-collections/community.general/pull/8735).

plugins/modules/keycloak_identity_provider.py

@@ -445,6 +445,15 @@ def get_identity_provider_with_mappers(kc, alias, realm):
     idp = kc.get_identity_provider(alias, realm)
     if idp is not None:
         idp['mappers'] = sorted(kc.get_identity_provider_mappers(alias, realm), key=lambda x: x.get('name'))
+        # clientSecret returned by API when using `get_identity_provider(alias, realm)` is always **********
+        # to detect changes to the secret, we get the actual cleartext secret from the full realm info
+        if 'config' in idp:
+            if 'clientSecret' in idp['config']:
+                for idp_from_realm in kc.get_realm_by_id(realm).get('identityProviders', []):
+                    if idp_from_realm['internalId'] == idp['internalId']:
+                        cleartext_secret = idp_from_realm.get('config', {}).get('clientSecret')
+                        if cleartext_secret:
+                            idp['config']['clientSecret'] = cleartext_secret
     if idp is None:
         idp = {}
     return idp