[keycloak-user] Incomplete ClientRepresentation returned from /{realm}/clients REST endpoint

A GET on the /{realm}/clients REST endpoint is supposed to return an array of ClientRepresentation JSON objects. This is documented here: https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_clients_resource According to the REST documentation (https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_clientrepresen...) a ClientRepresentation is supposed to contain the following top level keys: access adminUrl attributes authenticationFlowBindingOverrides authorizationServicesEnabled authorizationSettings baseUrl bearerOnly clientAuthenticatorType clientId consentRequired defaultClientScopes defaultRoles description directAccessGrantsEnabled enabled frontchannelLogout fullScopeAllowed id implicitFlowEnabled name nodeReRegistrationTimeout notBefore optionalClientScopes origin protocol protocolMappers publicClient redirectUris registeredNodes registrationAccessToken rootUrl secret serviceAccountsEnabled standardFlowEnabled surrogateAuthRequired webOrigins However when authenticated as the admin in the master realm on Keycloak version 4.8.2.Final a GET on /{realm}/clients returns ClientRepresentation's containing only these keys: access attributes authenticationFlowBindingOverrides bearerOnly clientAuthenticatorType clientId consentRequired defaultClientScopes directAccessGrantsEnabled enabled frontchannelLogout fullScopeAllowed id implicitFlowEnabled nodeReRegistrationTimeout notBefore optionalClientScopes protocol publicClient redirectUris serviceAccountsEnabled standardFlowEnabled surrogateAuthRequired webOrigins This means the following keys are omitted from the ClientRepresentation. Why? adminUrl authorizationServicesEnabled authorizationSettings baseUrl defaultRoles description name origin protocolMappers registeredNodes registrationAccessToken rootUrl secret As far as I can tell the documented ClientRepresentation closely matches what is in the code here: https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/k... I believe this is the method used to return the ClientRepresentation from the REST endpoint: https://github.com/keycloak/keycloak/blob/885eec5ef2628e41d59f4017745df44... The conversion from model to representation occurs here: https://github.com/keycloak/keycloak/blob/885eec5ef2628e41d59f4017745df44... I don't see anything which is dropping the missing keys in the returned ClientRepresentation. Is something filtering the result? The context for the question arises from this: We were creating a client via a PUT and allowing Keycloak to generate the client secret, we then wanted to extract the client secret from the ClientRepresentation but it's absent. I can also undersand why the client secret might be omitted for security reasons (although I did find that seems to replace that value with "**********", but that's not happening either, it's just absent). That's when we noticed it wasn't just the client secret that was missign but 12 other keys as well. -- John Dennis