Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

The endpoint /admin/

/console/config provides the frontend OIDC configuration for the Keycloak Administration Console. While this endpoint is unauthenticated by design to allow login initialization, it incorrectly reflects the underlying client configuration directly. If a user (an administrator) modifies the security-admin-console client—which is public by default—to be confidential, the server includes the credentials.secret in the public response. This allows any unauthenticated user to obtain the client secret.

Version

26.5.1

Regression

[ ] The issue is a regression

Expected behavior

The endpoint should strictly filter the response to include only public OIDC parameters. It should never expose the credentials object or internal secrets, regardless of whether the client is configured as public or confidential.

Actual behavior

The endpoint leaks the client secret and internal authorization metadata if the security-admin-console client is switched to confidential mode.

How to Reproduce?

1. Start Keycloak using the standard container guide.
2. Log in to the Admin Console as an administrator.
3. Navigate to Clients -> security-admin-console.
4. Set Client Authentication to On and Authorization to On. Save the changes.
5. Access the config endpoint via a tool like curl without providing any authentication headers: GET http://localhost:8080/admin/master/console/config
6. Observe that the JSON response contains the credentials block with the plain-text secret.

Anything else?

No response