From 93c529c03f9bc16352ba7534f2d6bdf794f08f35 Mon Sep 17 00:00:00 2001
From: Florian Dewald <florian@dwald.de>
Date: Mon, 3 Nov 2025 08:31:38 +0000
Subject: [PATCH] Prevent leakage of client secret to low-privileged users

---
 server/router/api/v1/idp_service.go | 32 +++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/server/router/api/v1/idp_service.go b/server/router/api/v1/idp_service.go
index 384119b84..eb2c2e0e8 100644
--- a/server/router/api/v1/idp_service.go
+++ b/server/router/api/v1/idp_service.go
@@ -38,8 +38,17 @@ func (s *APIV1Service) ListIdentityProviders(ctx context.Context, _ *v1pb.ListId
 	response := &v1pb.ListIdentityProvidersResponse{
 		IdentityProviders: []*v1pb.IdentityProvider{},
 	}
+
+	// Default to lowest-privilege role, update later based on real role
+	currentUserRole := store.RoleUser
+	currentUser, err := s.GetCurrentUser(ctx)
+	if err == nil && currentUser != nil {
+		currentUserRole = currentUser.Role
+	}
+
 	for _, identityProvider := range identityProviders {
-		response.IdentityProviders = append(response.IdentityProviders, convertIdentityProviderFromStore(identityProvider))
+		identityProviderConverted := convertIdentityProviderFromStore(identityProvider)
+		response.IdentityProviders = append(response.IdentityProviders, redactIdentityProviderResponse(identityProviderConverted, currentUserRole))
 	}
 	return response, nil
 }
@@ -58,7 +67,16 @@ func (s *APIV1Service) GetIdentityProvider(ctx context.Context, request *v1pb.Ge
 	if identityProvider == nil {
 		return nil, status.Errorf(codes.NotFound, "identity provider not found")
 	}
-	return convertIdentityProviderFromStore(identityProvider), nil
+
+	// Default to lowest-privilege role, update later based on real role
+	currentUserRole := store.RoleUser
+	currentUser, err := s.GetCurrentUser(ctx)
+	if err == nil && currentUser != nil {
+		currentUserRole = currentUser.Role
+	}
+
+	identityProviderConverted := convertIdentityProviderFromStore(identityProvider)
+	return redactIdentityProviderResponse(identityProviderConverted, currentUserRole), nil
 }
 
 func (s *APIV1Service) UpdateIdentityProvider(ctx context.Context, request *v1pb.UpdateIdentityProviderRequest) (*v1pb.IdentityProvider, error) {
@@ -183,3 +201,13 @@ func convertIdentityProviderConfigToStore(identityProviderType v1pb.IdentityProv
 	}
 	return nil
 }
+
+func redactIdentityProviderResponse(identityProvider *v1pb.IdentityProvider, userRole store.Role) *v1pb.IdentityProvider {
+	if userRole != store.RoleHost {
+		if identityProvider.Type == v1pb.IdentityProvider_OAUTH2 {
+			identityProvider.Config.GetOauth2Config().ClientSecret = ""
+		}
+	}
+
+	return identityProvider
+}