From 23cc57c9f6bd79113489ea59174ba0654c8e4d78 Mon Sep 17 00:00:00 2001
From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com>
Date: Wed, 29 Oct 2025 17:15:36 +0000
Subject: [PATCH] [PR #11005/54af64ad backport][stable-11] keycloak_user: mark
 credentials[].value as no_log=True (#11012)

keycloak_user: mark credentials[].value as no_log=True (#11005)

Mark credentials[].value as no_log=True.

(cherry picked from commit 54af64ad363efe280b34102d2637fe272c1f7320)

Co-authored-by: Felix Fontein <felix@fontein.de>
---
 changelogs/fragments/11005-keycloak_user.yml | 4 ++++
 plugins/modules/keycloak_user.py             | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/11005-keycloak_user.yml

diff --git a/changelogs/fragments/11005-keycloak_user.yml b/changelogs/fragments/11005-keycloak_user.yml
new file mode 100644
index 0000000000..d715ca8c94
--- /dev/null
+++ b/changelogs/fragments/11005-keycloak_user.yml
@@ -0,0 +1,4 @@
+security_fixes:
+  - "keycloak_user - the parameter ``credentials[].value`` is now marked as ``no_log=true``. Before it was logged by Ansible, unless the task was marked as ``no_log: true``.
+     Since this parameter can be used for passwords, this resulted in credential leaking
+     (https://github.com/ansible-collections/community.general/issues/11000, https://github.com/ansible-collections/community.general/pull/11005)."
diff --git a/plugins/modules/keycloak_user.py b/plugins/modules/keycloak_user.py
index 2b3c838483..ab038f9f38 100644
--- a/plugins/modules/keycloak_user.py
+++ b/plugins/modules/keycloak_user.py
@@ -357,7 +357,7 @@ def main():
     argument_spec['auth_username']['aliases'] = []
     credential_spec = dict(
         type=dict(type='str', required=True),
-        value=dict(type='str', required=True),
+        value=dict(type='str', required=True, no_log=True),
         temporary=dict(type='bool', default=False)
     )
     client_consents_spec = dict(