diff --git a/changelogs/fragments/8355-keycloak-idp-sanitize.yaml b/changelogs/fragments/8355-keycloak-idp-sanitize.yaml
new file mode 100644
index 0000000000..3a7942bb88
--- /dev/null
+++ b/changelogs/fragments/8355-keycloak-idp-sanitize.yaml
@@ -0,0 +1,2 @@
+security_fixes:
+  - keycloak_identity_provider - the client secret was not correctly sanitized by the module. The return values ``proposed``, ``existing``, and ``end_state``, as well as the diff, did contain the client secret unmasked (https://github.com/ansible-collections/community.general/pull/8355).
\ No newline at end of file
diff --git a/plugins/modules/keycloak_identity_provider.py b/plugins/modules/keycloak_identity_provider.py
index 0d12ae03a4..e0d95c95f4 100644
--- a/plugins/modules/keycloak_identity_provider.py
+++ b/plugins/modules/keycloak_identity_provider.py
@@ -436,7 +436,7 @@ def sanitize(idp):
     idpcopy = deepcopy(idp)
     if 'config' in idpcopy:
         if 'clientSecret' in idpcopy['config']:
-            idpcopy['clientSecret'] = '**********'
+            idpcopy['config']['clientSecret'] = '**********'
     return idpcopy
 
 
diff --git a/tests/integration/targets/keycloak_identity_provider/tasks/main.yml b/tests/integration/targets/keycloak_identity_provider/tasks/main.yml
index 79ba330494..eb8ccd222c 100644
--- a/tests/integration/targets/keycloak_identity_provider/tasks/main.yml
+++ b/tests/integration/targets/keycloak_identity_provider/tasks/main.yml
@@ -62,6 +62,7 @@
       - result.existing == {}
       - result.end_state.alias == "{{ idp }}"
       - result.end_state.mappers != []
+      - result.end_state.config.client_secret = "**********"
 
 - name: Update existing identity provider (no change)
   community.general.keycloak_identity_provider: