From 2a23ff8561aab5ef2b24cfcd7e2334c1c47b8b9f Mon Sep 17 00:00:00 2001
From: vramik <vramik@redhat.com>
Date: Sun, 26 Oct 2025 14:16:29 +0100
Subject: [PATCH] Make set creadential label use `reset-password` scope

Closes #43460

Signed-off-by: vramik <vramik@redhat.com>
---
 .../org/keycloak/services/resources/admin/UserResource.java | 4 ++--
 .../admin/authz/fgap/UserResourceTypeEvaluationTest.java    | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java b/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java
index cfcabe57801f..4637eb01ea69 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java
@@ -892,7 +892,7 @@ public void removeCredential(final @PathParam("credentialId") String credentialI
         @APIResponse(responseCode = "404", description = "Not Found")
     })
     public void setCredentialUserLabel(final @PathParam("credentialId") String credentialId, String userLabel) {
-        auth.users().requireManage(user);
+        auth.users().requireResetPassword(user);
         CredentialModel credential = user.credentialManager().getStoredCredentialById(credentialId);
         if (credential == null) {
             // we do this to make sure somebody can't phish ids
@@ -1324,4 +1324,4 @@ public SendEmailParams(String redirectUri, String clientId, Integer lifespan) {
             this.lifespan = lifespan;
         }
     }
-}
\ No newline at end of file
+}
diff --git a/tests/base/src/test/java/org/keycloak/tests/admin/authz/fgap/UserResourceTypeEvaluationTest.java b/tests/base/src/test/java/org/keycloak/tests/admin/authz/fgap/UserResourceTypeEvaluationTest.java
index c77644f06c00..d871caa939ca 100644
--- a/tests/base/src/test/java/org/keycloak/tests/admin/authz/fgap/UserResourceTypeEvaluationTest.java
+++ b/tests/base/src/test/java/org/keycloak/tests/admin/authz/fgap/UserResourceTypeEvaluationTest.java
@@ -18,6 +18,7 @@
 package org.keycloak.tests.admin.authz.fgap;
 
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.junit.jupiter.api.Assertions.assertEquals;
@@ -474,6 +475,11 @@ public void testResetPassword() {
         createPermission(client, userAlice.admin().toRepresentation().getId(), usersType, Set.of(VIEW), allowMyAdminPermission);
 
         users.get(search.get(0).getId()).resetPassword(credential);
+
+        // set credential label - admin UI sets the label upon resetting the password
+        List<CredentialRepresentation> credentials = users.get(search.get(0).getId()).credentials();
+        assertThat(credentials, hasSize(1));
+        users.get(search.get(0).getId()).setCredentialUserLabel(credentials.get(0).getId(), "User Label");
     }
 
     @Test