package org.keycloak.services.resources;

import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriBuilder;
import jakarta.ws.rs.core.UriBuilderException;
import jakarta.ws.rs.core.UriInfo;
import java.net.URI;
import java.util.Map;
import org.jboss.logging.Logger;
import org.keycloak.TokenVerifier;
import org.keycloak.authentication.AuthenticationFlowException;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.authentication.ExplainedVerificationException;
import org.keycloak.authentication.RequiredActionContext;
import org.keycloak.authentication.RequiredActionContextResult;
import org.keycloak.authentication.RequiredActionFactory;
import org.keycloak.authentication.RequiredActionProvider;
import org.keycloak.authentication.actiontoken.ActionTokenContext;
import org.keycloak.authentication.actiontoken.ActionTokenHandler;
import org.keycloak.authentication.actiontoken.DefaultActionToken;
import org.keycloak.authentication.actiontoken.ExplainedTokenVerificationException;
import org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionTokenHandler;
import org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator;
import org.keycloak.authentication.authenticators.broker.util.PostBrokerLoginConstants;
import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext;
import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator;
import org.keycloak.authentication.forms.AbstractRegistrationRecaptcha;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.Profile;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.Time;
import org.keycloak.common.util.TriFunction;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.exceptions.TokenNotActiveException;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.forms.login.MessageType;
import org.keycloak.forms.login.freemarker.DetachedInfoStateChecker;
import org.keycloak.forms.login.freemarker.DetachedInfoStateCookie;
import org.keycloak.http.HttpRequest;
import org.keycloak.models.AuthenticationFlowModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.DefaultActionTokenKey;
import org.keycloak.models.KeycloakContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.SingleUseObjectKeyModel;
import org.keycloak.models.UserConsentModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.AuthenticationFlowResolver;
import org.keycloak.models.utils.DefaultRequiredActions;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.SystemClientUtil;
import org.keycloak.organization.OrganizationProvider;
import org.keycloak.organization.utils.Organizations;
import org.keycloak.protocol.AuthorizationEndpointBase;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.grants.device.DeviceGrantType;
import org.keycloak.protocol.oidc.utils.OIDCResponseMode;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.ErrorPageException;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.managers.UserConsentManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.util.AuthenticationFlowURLHelper;
import org.keycloak.services.util.BrowserHistoryHelper;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.services.util.LocaleUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/services/resources/LoginActionsService.class */
public class LoginActionsService {
    private static final Logger logger = Logger.getLogger(LoginActionsService.class);
    public static final String AUTHENTICATE_PATH = "authenticate";
    public static final String REGISTRATION_PATH = "registration";
    public static final String RESET_CREDENTIALS_PATH = "reset-credentials";
    public static final String REQUIRED_ACTION = "required-action";
    public static final String FIRST_BROKER_LOGIN_PATH = "first-broker-login";
    public static final String POST_BROKER_LOGIN_PATH = "post-broker-login";
    public static final String RESTART_PATH = "restart";
    public static final String DETACHED_INFO_PATH = "detached-info";
    public static final String FORWARDED_ERROR_MESSAGE_NOTE = "forwardedErrorMessage";
    public static final String SESSION_CODE = "session_code";
    public static final String AUTH_SESSION_ID = "auth_session_id";
    public static final String CANCEL_AIA = "cancel-aia";
    private final RealmModel realm;
    private final HttpRequest request;
    protected final HttpHeaders headers;
    private final ClientConnection clientConnection;
    protected final KeycloakSession session;
    private EventBuilder event;

    public static UriBuilder loginActionsBaseUrl(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo.getBaseUriBuilder());
    }

    public static UriBuilder authenticationFormProcessor(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "authenticateForm");
    }

    public static UriBuilder requiredActionProcessor(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "requiredActionPOST");
    }

    public static UriBuilder actionTokenProcessor(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "executeActionToken");
    }

    public static UriBuilder registrationFormProcessor(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "processRegister");
    }

    public static UriBuilder firstBrokerLoginProcessor(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "firstBrokerLoginGet");
    }

    public static UriBuilder postBrokerLoginProcessor(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "postBrokerLoginGet");
    }

    public static UriBuilder loginActionsBaseUrl(UriBuilder uriBuilder) {
        return uriBuilder.path(RealmsResource.class).path(RealmsResource.class, "getLoginActionsService");
    }

    public LoginActionsService(KeycloakSession keycloakSession, EventBuilder eventBuilder) {
        this.session = keycloakSession;
        this.clientConnection = keycloakSession.getContext().getConnection();
        this.realm = keycloakSession.getContext().getRealm();
        this.event = eventBuilder;
        CacheControlUtil.noBackButtonCacheControlHeader(keycloakSession);
        this.request = keycloakSession.getContext().getHttpRequest();
        this.headers = keycloakSession.getContext().getRequestHeaders();
    }

    private boolean checkSsl() {
        return this.session.getContext().getUri().getBaseUri().getScheme().equals("https") || !this.realm.getSslRequired().isRequired(this.clientConnection);
    }

    private SessionCodeChecks checksForCode(String str, String str2, String str3, String str4, String str5, String str6, String str7) {
        SessionCodeChecks sessionCodeChecks = new SessionCodeChecks(this.realm, this.session.getContext().getUri(), this.request, this.clientConnection, this.session, this.event, str, str2, str3, str4, str5, str6, str7);
        sessionCodeChecks.initialVerify();
        return sessionCodeChecks;
    }

    protected URI getLastExecutionUrl(String str, String str2, String str3, String str4, String str5) {
        return new AuthenticationFlowURLHelper(this.session, this.realm, this.session.getContext().getUri()).getLastExecutionUrl(str, str2, str3, str4, str5);
    }

    @Path(RESTART_PATH)
    @GET
    public Response restartSession(@QueryParam("auth_session_id") String str, @QueryParam("client_id") String str2, @QueryParam("tab_id") String str3, @QueryParam("client_data") String str4, @QueryParam("skip_logout") String str5) {
        UserSessionModel userSession;
        this.event.event(EventType.RESTART_AUTHENTICATION);
        SessionCodeChecks sessionCodeChecks = new SessionCodeChecks(this.realm, this.session.getContext().getUri(), this.request, this.clientConnection, this.session, this.event, str, null, null, str2, str3, str4, null);
        AuthenticationSessionModel initialVerifyAuthSession = sessionCodeChecks.initialVerifyAuthSession();
        if (initialVerifyAuthSession == null) {
            return sessionCodeChecks.getResponse();
        }
        this.event.user(initialVerifyAuthSession.getAuthenticatedUser());
        this.event.detail("username", initialVerifyAuthSession.getAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME));
        this.event.detail("auth_method", initialVerifyAuthSession.getProtocol());
        String clientNote = initialVerifyAuthSession.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW);
        if (clientNote == null) {
            clientNote = AUTHENTICATE_PATH;
        }
        if (!Boolean.parseBoolean(str5) && (userSession = new AuthenticationSessionManager(this.session).getUserSession(initialVerifyAuthSession)) != null) {
            logger.debugf("Logout of user session %s when restarting flow during re-authentication", userSession.getId());
            AuthenticationManager.backchannelLogout(this.session, userSession, false);
            initialVerifyAuthSession = AuthenticationProcessor.recreate(this.session, initialVerifyAuthSession);
        }
        AuthenticationProcessor.resetFlow(initialVerifyAuthSession, clientNote);
        URI lastExecutionUrl = getLastExecutionUrl(clientNote, null, initialVerifyAuthSession.getClient().getClientId(), initialVerifyAuthSession.getTabId(), AuthenticationProcessor.getClientData(this.session, initialVerifyAuthSession));
        logger.debugf("Flow restart requested. Redirecting to %s", lastExecutionUrl);
        this.event.success();
        return Response.status(Response.Status.FOUND).location(lastExecutionUrl).build();
    }

    @Path(DETACHED_INFO_PATH)
    @GET
    public Response detachedInfo(@QueryParam("kc_state_checker") String str) {
        ClientModel clientById;
        try {
            DetachedInfoStateCookie verifyStateCheckerParameter = new DetachedInfoStateChecker(this.session, this.realm).verifyStateCheckerParameter(str);
            logger.tracef("Detached info endpoint invoked and cookie successfully verified. StateCheckerParam=%s, StateCookie=%s", str, verifyStateCheckerParameter);
            processLocaleParam(null);
            boolean z = true;
            if (verifyStateCheckerParameter.getClientUuid() != null && (clientById = this.session.clients().getClientById(this.realm, verifyStateCheckerParameter.getClientUuid())) != null) {
                this.session.getContext().setClient(clientById);
                z = clientById.equals(SystemClientUtil.getSystemClient(this.realm));
            }
            MessageType valueOf = Enum.valueOf(MessageType.class, verifyStateCheckerParameter.getMessageType());
            Response.Status fromStatusCode = verifyStateCheckerParameter.getStatus() == null ? Response.Status.BAD_REQUEST : Response.Status.fromStatusCode(verifyStateCheckerParameter.getStatus().intValue());
            LoginFormsProvider message = this.session.getProvider(LoginFormsProvider.class).setDetachedAuthSession().setMessage(valueOf, verifyStateCheckerParameter.getMessageKey(), verifyStateCheckerParameter.getMessageParameters() == null ? null : verifyStateCheckerParameter.getMessageParameters().toArray());
            if (z) {
                message.setAttribute("skipLink", true);
            }
            return valueOf == MessageType.ERROR ? message.createErrorPage(fromStatusCode) : message.createInfoPage();
        } catch (VerificationException e) {
            logger.warn(e.getMessage());
            return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.EXPIRED_ACTION_TOKEN_NO_SESSION, new Object[0]);
        }
    }

    @Path(AUTHENTICATE_PATH)
    @GET
    public Response authenticate(@QueryParam("auth_session_id") String str, @QueryParam("session_code") String str2, @QueryParam("execution") String str3, @QueryParam("client_id") String str4, @QueryParam("tab_id") String str5, @QueryParam("client_data") String str6) {
        this.event.event(EventType.LOGIN);
        SessionCodeChecks checksForCode = checksForCode(str, str2, str3, str4, str5, str6, AUTHENTICATE_PATH);
        if (!checksForCode.verifyActiveAndValidAction(CommonClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
            return checksForCode.getResponse();
        }
        AuthenticationSessionModel authenticationSession = checksForCode.getAuthenticationSession();
        boolean isActionRequest = checksForCode.isActionRequest();
        processLocaleParam(authenticationSession);
        return processAuthentication(isActionRequest, str3, authenticationSession, null);
    }

    protected void processLocaleParam(AuthenticationSessionModel authenticationSessionModel) {
        LocaleUtil.processLocaleParam(this.session, this.realm, authenticationSessionModel);
    }

    protected Response processAuthentication(boolean z, String str, AuthenticationSessionModel authenticationSessionModel, String str2) {
        return processFlow(z, str, authenticationSessionModel, AUTHENTICATE_PATH, AuthenticationFlowResolver.resolveBrowserFlow(authenticationSessionModel), str2, new AuthenticationProcessor());
    }

    protected Response processFlow(boolean z, String str, AuthenticationSessionModel authenticationSessionModel, String str2, AuthenticationFlowModel authenticationFlowModel, String str3, AuthenticationProcessor authenticationProcessor) {
        Response handleBrowserException;
        authenticationProcessor.setAuthenticationSession(authenticationSessionModel).setFlowPath(str2).setBrowserFlow(true).setFlowId(authenticationFlowModel.getId()).setConnection(this.clientConnection).setEventBuilder(this.event).setRealm(this.realm).setSession(this.session).setUriInfo(this.session.getContext().getUri()).setRequest(this.request);
        if (str3 != null) {
            authenticationProcessor.setForwardedErrorMessage(new FormMessage((String) null, str3));
        }
        String authNote = authenticationSessionModel.getAuthNote(FORWARDED_ERROR_MESSAGE_NOTE);
        if (authNote != null) {
            authenticationSessionModel.removeAuthNote(FORWARDED_ERROR_MESSAGE_NOTE);
            authenticationProcessor.setForwardedErrorMessage(new FormMessage((String) null, authNote));
        }
        try {
            handleBrowserException = z ? authenticationProcessor.authenticationAction(str) : authenticationProcessor.authenticate();
        } catch (WebApplicationException e) {
            handleBrowserException = e.getResponse();
            authenticationSessionModel = authenticationProcessor.getAuthenticationSession();
        } catch (Exception e2) {
            handleBrowserException = authenticationProcessor.handleBrowserException(e2);
            authenticationSessionModel = authenticationProcessor.getAuthenticationSession();
        }
        return BrowserHistoryHelper.getInstance().saveResponseAndRedirect(this.session, authenticationSessionModel, handleBrowserException, z, this.request);
    }

    @POST
    @Path(AUTHENTICATE_PATH)
    public Response authenticateForm(@QueryParam("auth_session_id") String str, @QueryParam("session_code") String str2, @QueryParam("execution") String str3, @QueryParam("client_id") String str4, @QueryParam("tab_id") String str5, @QueryParam("client_data") String str6) {
        return authenticate(str, str2, str3, str4, str5, str6);
    }

    @POST
    @Path("reset-credentials")
    public Response resetCredentialsPOST(@QueryParam("auth_session_id") String str, @QueryParam("session_code") String str2, @QueryParam("execution") String str3, @QueryParam("client_id") String str4, @QueryParam("tab_id") String str5, @QueryParam("client_data") String str6, @QueryParam("key") String str7) {
        if (str7 != null) {
            return handleActionToken(str7, str3, str4, str5, str6, null);
        }
        this.event.event(EventType.RESET_PASSWORD);
        return resetCredentials(str, str2, str3, str4, str5, str6);
    }

    @Path("reset-credentials")
    @GET
    public Response resetCredentialsGET(@QueryParam("auth_session_id") String str, @QueryParam("session_code") String str2, @QueryParam("execution") String str3, @QueryParam("client_id") String str4, @QueryParam("redirect_uri") String str5, @QueryParam("tab_id") String str6, @QueryParam("client_data") String str7) {
        AuthenticationSessionModel currentAuthenticationSession = new AuthenticationSessionManager(this.session).getCurrentAuthenticationSession(this.realm, this.realm.getClientByClientId(str4), str6);
        processLocaleParam(currentAuthenticationSession);
        this.event.event(EventType.RESET_PASSWORD);
        if (currentAuthenticationSession != null || str2 != null || str7 != null) {
            return resetCredentials(str, str2, str3, str4, str6, str7);
        }
        if (this.realm.isResetPasswordAllowed()) {
            return processResetCredentials(false, null, createAuthenticationSessionForClient(str4, str5), null);
        }
        this.event.error("not_allowed");
        return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.RESET_CREDENTIAL_NOT_ALLOWED, new Object[0]);
    }

    AuthenticationSessionModel createAuthenticationSessionForClient(String str, String str2) throws UriBuilderException, IllegalArgumentException {
        ClientModel clientByClientId;
        String str3 = null;
        if (str != null) {
            clientByClientId = this.session.clients().getClientByClientId(this.realm, str);
            if (clientByClientId == null) {
                throw new ErrorPageException(this.session, null, Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND, new Object[0]);
            }
            if (!clientByClientId.isEnabled()) {
                throw new ErrorPageException(this.session, null, Response.Status.BAD_REQUEST, Messages.CLIENT_DISABLED, new Object[0]);
            }
            if (str2 != null) {
                str3 = RedirectUtils.verifyRedirectUri(this.session, str2, clientByClientId);
                if (str3 == null) {
                    throw new ErrorPageException(this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_PARAMETER, "redirect_uri");
                }
            }
        } else {
            if (str2 != null) {
                logger.warn("Unsupported to send 'redirect_uri' parameter without providing 'client_id' parameter.");
                throw new ErrorPageException(this.session, null, Response.Status.BAD_REQUEST, Messages.MISSING_PARAMETER, "client_id");
            }
            clientByClientId = SystemClientUtil.getSystemClient(this.realm);
            str3 = Urls.accountBase(this.session.getContext().getUri().getBaseUri()).path("/").build(new Object[]{this.realm.getName()}).toString();
        }
        AuthenticationSessionModel createAuthenticationSession = new AuthenticationSessionManager(this.session).createAuthenticationSession(this.realm, true).createAuthenticationSession(clientByClientId);
        createAuthenticationSession.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name());
        createAuthenticationSession.setProtocol("openid-connect");
        createAuthenticationSession.setClientNote("response_type", "code");
        createAuthenticationSession.setClientNote("iss", Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName()));
        if (str3 != null) {
            createAuthenticationSession.setRedirectUri(str3);
            createAuthenticationSession.setClientNote("redirect_uri", str3);
        } else {
            createAuthenticationSession.setAuthNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true");
        }
        return createAuthenticationSession;
    }

    protected Response resetCredentials(String str, String str2, String str3, String str4, String str5, String str6) {
        SessionCodeChecks checksForCode = checksForCode(str, str2, str3, str4, str5, str6, "reset-credentials");
        if (!checksForCode.verifyActiveAndValidAction(CommonClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.USER)) {
            return checksForCode.getResponse();
        }
        AuthenticationSessionModel authenticationSession = checksForCode.getAuthenticationSession();
        if (this.realm.isResetPasswordAllowed()) {
            return processResetCredentials(checksForCode.isActionRequest(), str3, authenticationSession, null);
        }
        this.event.error("not_allowed");
        return ErrorPage.error(this.session, authenticationSession, Response.Status.BAD_REQUEST, Messages.RESET_CREDENTIAL_NOT_ALLOWED, new Object[0]);
    }

    @Path("action-token")
    @GET
    public Response executeActionToken(@QueryParam("auth_session_id") String str, @QueryParam("key") String str2, @QueryParam("execution") String str3, @QueryParam("client_id") String str4, @QueryParam("client_data") String str5, @QueryParam("tab_id") String str6) {
        return handleActionToken(str2, str3, str4, str6, str5, null);
    }

    protected <T extends JsonWebToken & SingleUseObjectKeyModel> Response handleActionToken(String str, String str2, String str3, String str4, String str5, TriFunction<ActionTokenHandler<T>, T, ActionTokenContext<T>, Response> triFunction) {
        AuthenticationSessionModel authenticationSessionModel = null;
        ClientModel clientModel = null;
        if (str3 != null) {
            clientModel = this.realm.getClientByClientId(str3);
        }
        AuthenticationSessionManager authenticationSessionManager = new AuthenticationSessionManager(this.session);
        KeycloakContext context = this.session.getContext();
        if (clientModel != null) {
            context.setClient(clientModel);
            authenticationSessionModel = authenticationSessionManager.getCurrentAuthenticationSession(this.realm, clientModel, str4);
        }
        this.event.event(EventType.EXECUTE_ACTION_TOKEN);
        try {
            if (str == null) {
                throw new ExplainedTokenVerificationException((JsonWebToken) null, "not_allowed", Messages.INVALID_REQUEST);
            }
            TokenVerifier create = TokenVerifier.create(str, DefaultActionTokenKey.class);
            DefaultActionTokenKey token = create.getToken();
            this.event.detail("token_id", token.getId()).detail(AbstractRegistrationRecaptcha.ACTION, token.getActionId()).user(token.getUserId());
            ActionTokenHandler resolveActionTokenHandler = resolveActionTokenHandler(token.getActionId());
            String defaultEventError = resolveActionTokenHandler.getDefaultEventError();
            String defaultErrorMessage = resolveActionTokenHandler.getDefaultErrorMessage();
            if (!this.realm.isEnabled()) {
                throw new ExplainedTokenVerificationException((JsonWebToken) token, "realm_disabled", Messages.REALM_NOT_ENABLED);
            }
            if (!checkSsl()) {
                throw new ExplainedTokenVerificationException((JsonWebToken) token, "ssl_required", Messages.HTTPS_REQUIRED);
            }
            TokenVerifier withChecks = create.withChecks(new TokenVerifier.Predicate[]{TokenVerifier.IS_ACTIVE, new TokenVerifier.RealmUrlCheck(Urls.realmIssuer(context.getUri().getBaseUri(), this.realm.getName())), DefaultActionToken.ACTION_TOKEN_BASIC_CHECKS});
            withChecks.verifierContext(this.session.getProvider(SignatureProvider.class, withChecks.getHeader().getAlgorithm().name()).verifier(withChecks.getHeader().getKeyId()));
            withChecks.verify();
            SingleUseObjectKeyModel token2 = TokenVerifier.create(str, resolveActionTokenHandler.getTokenClass()).getToken();
            ActionTokenContext<?> actionTokenContext = new ActionTokenContext<>(this.session, this.realm, context.getUri(), this.clientConnection, this.request, this.event, resolveActionTokenHandler, str2, str5, this::processFlow, this::brokerLoginFlow);
            if (triFunction != null) {
                return (Response) triFunction.apply(resolveActionTokenHandler, token2, actionTokenContext);
            }
            try {
                String authenticationSessionIdFromToken = resolveActionTokenHandler.getAuthenticationSessionIdFromToken(token2, actionTokenContext, authenticationSessionModel);
                if (authenticationSessionModel == null) {
                    authenticationSessionModel = resolveActionTokenHandler.startFreshAuthenticationSession(token2, actionTokenContext);
                    actionTokenContext.setAuthenticationSession(authenticationSessionModel, true);
                } else if (!LoginActionsServiceChecks.doesAuthenticationSessionFromCookieMatchOneFromToken(actionTokenContext, authenticationSessionModel, authenticationSessionIdFromToken)) {
                    logger.debugf("Authentication session in progress but no authentication session ID was found in action token %s, restarting.", token2.getId());
                    authenticationSessionManager.removeAuthenticationSession(this.realm, authenticationSessionModel, false);
                    authenticationSessionModel = resolveActionTokenHandler.startFreshAuthenticationSession(token2, actionTokenContext);
                    actionTokenContext.setAuthenticationSession(authenticationSessionModel, true);
                    processLocaleParam(authenticationSessionModel);
                }
                context.setAuthenticationSession(authenticationSessionModel);
                initLoginEvent(authenticationSessionModel);
                this.event.event(resolveActionTokenHandler.eventType());
                LoginActionsServiceChecks.checkIsUserValid(token2, actionTokenContext, this.event);
                LoginActionsServiceChecks.checkIsClientValid(token2, (ActionTokenContext<SingleUseObjectKeyModel>) actionTokenContext);
                context.setClient(authenticationSessionModel.getClient());
                TokenVerifier.createWithoutSignature(token2).withChecks(resolveActionTokenHandler.getVerifiers(actionTokenContext)).verify();
                AuthenticationSessionModel authenticationSession = actionTokenContext.getAuthenticationSession();
                this.event = actionTokenContext.getEvent();
                this.event.event(resolveActionTokenHandler.eventType());
                if (!resolveActionTokenHandler.canUseTokenRepeatedly(token2, actionTokenContext)) {
                    LoginActionsServiceChecks.checkTokenWasNotUsedYet(token2, actionTokenContext);
                    authenticationSession.setAuthNote(AuthenticationManager.INVALIDATE_ACTION_TOKEN, token2.serializeKey());
                }
                authenticationSession.setAuthNote("ACTION_TOKEN_USER", token2.getUserId());
                authenticationSession.setAuthNote("key", str);
                return resolveActionTokenHandler.handleToken(token2, actionTokenContext);
            } catch (ExplainedTokenVerificationException e) {
                return handleActionTokenVerificationException(actionTokenContext, e, e.getErrorEvent(), e.getMessage());
            } catch (LoginActionsServiceException e2) {
                Response response = e2.getResponse();
                return response == null ? handleActionTokenVerificationException(actionTokenContext, e2, defaultEventError, defaultErrorMessage) : response;
            } catch (VerificationException e3) {
                return handleActionTokenVerificationException(actionTokenContext, e3, defaultEventError, defaultErrorMessage);
            }
        } catch (ExplainedTokenVerificationException e4) {
            return handleActionTokenVerificationException(null, e4, e4.getErrorEvent(), e4.getMessage());
        } catch (TokenNotActiveException e5) {
            if (authenticationSessionModel == null) {
                return handleActionTokenVerificationException(null, e5, "expired_code", Messages.EXPIRED_ACTION_TOKEN_NO_SESSION);
            }
            this.event.clone().error("expired_code");
            String clientNote = authenticationSessionModel.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW);
            if (clientNote == null) {
                clientNote = AUTHENTICATE_PATH;
            }
            AuthenticationProcessor.resetFlow(authenticationSessionModel, clientNote);
            return processFlowFromPath(clientNote, authenticationSessionModel, Messages.EXPIRED_ACTION_TOKEN_SESSION_EXISTS);
        } catch (ExplainedVerificationException e6) {
            return handleActionTokenVerificationException(null, e6, e6.getErrorEvent(), e6.getMessage());
        } catch (VerificationException e7) {
            return handleActionTokenVerificationException(null, e7, null, null);
        }
    }

    private Response processFlowFromPath(String str, AuthenticationSessionModel authenticationSessionModel, String str2) {
        if (AUTHENTICATE_PATH.equals(str)) {
            return processAuthentication(false, null, authenticationSessionModel, str2);
        }
        if (REGISTRATION_PATH.equals(str)) {
            return processRegistration(false, null, authenticationSessionModel, str2);
        }
        if ("reset-credentials".equals(str)) {
            return processResetCredentials(false, null, authenticationSessionModel, str2);
        }
        return ErrorPage.error(this.session, authenticationSessionModel, Response.Status.BAD_REQUEST, str2 == null ? Messages.INVALID_REQUEST : str2, new Object[0]);
    }

    private <T extends JsonWebToken> ActionTokenHandler<T> resolveActionTokenHandler(String str) throws VerificationException {
        if (str == null) {
            throw new VerificationException("Action token operation not set");
        }
        ActionTokenHandler<T> actionTokenHandler = (ActionTokenHandler) this.session.getProvider(ActionTokenHandler.class, str);
        if (actionTokenHandler == null) {
            throw new VerificationException("Invalid action token operation");
        }
        return actionTokenHandler;
    }

    private Response handleActionTokenVerificationException(ActionTokenContext<?> actionTokenContext, VerificationException verificationException, String str, String str2) {
        if (actionTokenContext != null && actionTokenContext.getAuthenticationSession() != null) {
            new AuthenticationSessionManager(this.session).removeAuthenticationSession(this.realm, actionTokenContext.getAuthenticationSession(), true);
        }
        this.event.detail("reason", verificationException == null ? "<unknown>" : verificationException.getMessage()).error(str == null ? "invalid_code" : str);
        return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, str2 == null ? Messages.INVALID_CODE : str2, new Object[0]);
    }

    protected Response processResetCredentials(boolean z, String str, AuthenticationSessionModel authenticationSessionModel, String str2) {
        return processFlow(z, str, authenticationSessionModel, "reset-credentials", this.realm.getResetCredentialsFlow(), str2, new ResetCredentialsActionTokenHandler.ResetCredsAuthenticationProcessor());
    }

    protected Response processRegistration(boolean z, String str, AuthenticationSessionModel authenticationSessionModel, String str2) {
        return processFlow(z, str, authenticationSessionModel, REGISTRATION_PATH, this.realm.getRegistrationFlow(), str2, new AuthenticationProcessor());
    }

    @Path(REGISTRATION_PATH)
    @GET
    public Response registerPage(@QueryParam("auth_session_id") String str, @QueryParam("session_code") String str2, @QueryParam("execution") String str3, @QueryParam("client_id") String str4, @QueryParam("client_data") String str5, @QueryParam("tab_id") String str6, @QueryParam("token") String str7) {
        if (Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION) && str7 != null) {
            preHandleActionToken(str7);
        }
        return registerRequest(str, str2, str3, str4, str6, str5);
    }

    @POST
    @Path(REGISTRATION_PATH)
    public Response processRegister(@QueryParam("auth_session_id") String str, @QueryParam("session_code") String str2, @QueryParam("execution") String str3, @QueryParam("client_id") String str4, @QueryParam("client_data") String str5, @QueryParam("tab_id") String str6, @QueryParam("token") String str7) {
        if (Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION) && str7 != null) {
            preHandleActionToken(str7);
        }
        return registerRequest(str, str2, str3, str4, str6, str5);
    }

    private Response registerRequest(String str, String str2, String str3, String str4, String str5, String str6) {
        this.event.event(EventType.REGISTER);
        if (!Organizations.isRegistrationAllowed(this.session, this.realm)) {
            this.event.error("registration_disabled");
            return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.REGISTRATION_NOT_ALLOWED, new Object[0]);
        }
        SessionCodeChecks checksForCode = checksForCode(str, str2, str3, str4, str5, str6, REGISTRATION_PATH);
        if (!checksForCode.verifyActiveAndValidAction(CommonClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
            return checksForCode.getResponse();
        }
        AuthenticationSessionModel authenticationSession = checksForCode.getAuthenticationSession();
        processLocaleParam(authenticationSession);
        AuthenticationManager.expireIdentityCookie(this.session);
        return processRegistration(checksForCode.isActionRequest(), str3, authenticationSession, null);
    }

    @Path(FIRST_BROKER_LOGIN_PATH)
    @GET
    public Response firstBrokerLoginGet(@QueryParam("auth_session_id") String str, @QueryParam("session_code") String str2, @QueryParam("execution") String str3, @QueryParam("client_id") String str4, @QueryParam("client_data") String str5, @QueryParam("tab_id") String str6) {
        return brokerLoginFlow(str, str2, str3, str4, str6, str5, FIRST_BROKER_LOGIN_PATH);
    }

    @POST
    @Path(FIRST_BROKER_LOGIN_PATH)
    public Response firstBrokerLoginPost(@QueryParam("auth_session_id") String str, @QueryParam("session_code") String str2, @QueryParam("execution") String str3, @QueryParam("client_id") String str4, @QueryParam("client_data") String str5, @QueryParam("tab_id") String str6) {
        return brokerLoginFlow(str, str2, str3, str4, str6, str5, FIRST_BROKER_LOGIN_PATH);
    }

    @Path(POST_BROKER_LOGIN_PATH)
    @GET
    public Response postBrokerLoginGet(@QueryParam("auth_session_id") String str, @QueryParam("session_code") String str2, @QueryParam("execution") String str3, @QueryParam("client_id") String str4, @QueryParam("client_data") String str5, @QueryParam("tab_id") String str6) {
        return brokerLoginFlow(str, str2, str3, str4, str6, str5, POST_BROKER_LOGIN_PATH);
    }

    @POST
    @Path(POST_BROKER_LOGIN_PATH)
    public Response postBrokerLoginPost(@QueryParam("auth_session_id") String str, @QueryParam("session_code") String str2, @QueryParam("execution") String str3, @QueryParam("client_id") String str4, @QueryParam("client_data") String str5, @QueryParam("tab_id") String str6) {
        return brokerLoginFlow(str, str2, str3, str4, str6, str5, POST_BROKER_LOGIN_PATH);
    }

    protected Response brokerLoginFlow(String str, String str2, String str3, String str4, String str5, String str6, String str7) {
        String postBrokerLoginFlowId;
        final boolean equals = str7.equals(FIRST_BROKER_LOGIN_PATH);
        this.event.event(equals ? EventType.IDENTITY_PROVIDER_FIRST_LOGIN : EventType.IDENTITY_PROVIDER_POST_LOGIN);
        SessionCodeChecks checksForCode = checksForCode(str, str2, str3, str4, str5, str6, str7);
        if (!checksForCode.verifyActiveAndValidAction(CommonClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
            this.event.error("Failed to verify login action");
            return checksForCode.getResponse();
        }
        this.event.detail("code_id", str2);
        final AuthenticationSessionModel authenticationSession = checksForCode.getAuthenticationSession();
        processLocaleParam(authenticationSession);
        String str8 = equals ? AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE : PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT;
        SerializedBrokeredIdentityContext readFromAuthenticationSession = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, str8);
        if (readFromAuthenticationSession == null) {
            ServicesLogger.LOGGER.notFoundSerializedCtxInClientSession(str8);
            this.event.error("Not found serialized context in authenticationSession.");
            throw new WebApplicationException(ErrorPage.error(this.session, authenticationSession, Response.Status.BAD_REQUEST, "Not found serialized context in authenticationSession.", new Object[0]));
        }
        BrokeredIdentityContext deserialize = readFromAuthenticationSession.deserialize(this.session, authenticationSession);
        final String alias = deserialize.getIdpConfig().getAlias();
        if (equals) {
            postBrokerLoginFlowId = deserialize.getIdpConfig().getFirstBrokerLoginFlowId();
            if (postBrokerLoginFlowId == null) {
                postBrokerLoginFlowId = this.realm.getFirstBrokerLoginFlow().getId();
            }
        } else {
            postBrokerLoginFlowId = deserialize.getIdpConfig().getPostBrokerLoginFlowId();
        }
        if (postBrokerLoginFlowId == null) {
            ServicesLogger.LOGGER.flowNotConfigForIDP(alias);
            this.event.error("Flow not configured for identity provider");
            throw new WebApplicationException(ErrorPage.error(this.session, authenticationSession, Response.Status.BAD_REQUEST, "Flow not configured for identity provider", new Object[0]));
        }
        AuthenticationFlowModel authenticationFlowById = this.realm.getAuthenticationFlowById(postBrokerLoginFlowId);
        if (authenticationFlowById == null) {
            ServicesLogger.LOGGER.flowNotFoundForIDP(postBrokerLoginFlowId, alias);
            this.event.error("Flow not found for identity provider");
            throw new WebApplicationException(ErrorPage.error(this.session, authenticationSession, Response.Status.BAD_REQUEST, "Flow not found for identity provider", new Object[0]));
        }
        this.event.detail("identity_provider", alias).detail("identity_provider_identity", deserialize.getUsername()).detail("identity_provider_broker_session_id", deserialize.getBrokerSessionId());
        this.event.success();
        AuthenticationProcessor authenticationProcessor = new AuthenticationProcessor() { // from class: org.keycloak.services.resources.LoginActionsService.1
            @Override // org.keycloak.authentication.AuthenticationProcessor
            public Response authenticateOnly() throws AuthenticationFlowException {
                Response authenticateOnly = super.authenticateOnly();
                if (authenticateOnly == null || !"true".equals(this.authenticationSession.getAuthNote(AuthenticationProcessor.FORWARDED_PASSIVE_LOGIN))) {
                    return authenticateOnly;
                }
                logger.errorf("Challenge encountered when executing %s flow. Auth requests with prompt=none are incompatible with challenges", this.flowPath);
                LoginProtocol provider = this.session.getProvider(LoginProtocol.class, authenticationSession.getProtocol());
                provider.setRealm(this.realm).setHttpHeaders(LoginActionsService.this.headers).setUriInfo(this.session.getContext().getUri()).setEventBuilder(this.event);
                return provider.sendError(authenticationSession, LoginProtocol.Error.PASSIVE_INTERACTION_REQUIRED, (String) null);
            }

            /* JADX INFO: Access modifiers changed from: protected */
            @Override // org.keycloak.authentication.AuthenticationProcessor
            public Response authenticationComplete() {
                if (equals) {
                    authenticationSession.setAuthNote(AbstractIdpAuthenticator.FIRST_BROKER_LOGIN_SUCCESS, alias);
                } else {
                    authenticationSession.setAuthNote("PBL_AUTH_STATE." + alias, "true");
                }
                return LoginActionsService.this.redirectToAfterBrokerLoginEndpoint(authenticationSession, equals);
            }
        };
        configureOrganization(deserialize);
        return processFlow(checksForCode.isActionRequest(), str3, authenticationSession, str7, authenticationFlowById, null, authenticationProcessor);
    }

    private void configureOrganization(BrokeredIdentityContext brokeredIdentityContext) {
        String organizationId;
        if (!Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION) || (organizationId = brokeredIdentityContext.getIdpConfig().getOrganizationId()) == null) {
            return;
        }
        this.session.getContext().setOrganization(this.session.getProvider(OrganizationProvider.class).getById(organizationId));
        this.session.setAttribute(BrokeredIdentityContext.class.getName(), brokeredIdentityContext);
    }

    private Response redirectToAfterBrokerLoginEndpoint(AuthenticationSessionModel authenticationSessionModel, boolean z) {
        return redirectToAfterBrokerLoginEndpoint(this.session, this.realm, this.session.getContext().getUri(), authenticationSessionModel, z);
    }

    public static Response redirectToAfterBrokerLoginEndpoint(KeycloakSession keycloakSession, RealmModel realmModel, UriInfo uriInfo, AuthenticationSessionModel authenticationSessionModel, boolean z) {
        ClientSessionCode clientSessionCode = new ClientSessionCode(keycloakSession, realmModel, authenticationSessionModel);
        authenticationSessionModel.getParentSession().setTimestamp(Time.currentTime());
        String clientId = authenticationSessionModel.getClient().getClientId();
        String tabId = authenticationSessionModel.getTabId();
        String clientData = AuthenticationProcessor.getClientData(keycloakSession, authenticationSessionModel);
        URI identityProviderAfterFirstBrokerLogin = z ? Urls.identityProviderAfterFirstBrokerLogin(uriInfo.getBaseUri(), realmModel.getName(), clientSessionCode.getOrGenerateCode(), clientId, tabId, clientData) : Urls.identityProviderAfterPostBrokerLogin(uriInfo.getBaseUri(), realmModel.getName(), clientSessionCode.getOrGenerateCode(), clientId, tabId, clientData);
        logger.debugf("Redirecting to '%s' ", identityProviderAfterFirstBrokerLogin);
        return Response.status(302).location(identityProviderAfterFirstBrokerLogin).build();
    }

    @POST
    @Path(OIDCLoginProtocol.PROMPT_VALUE_CONSENT)
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    public Response processConsent() {
        MultivaluedMap decodedFormParameters = this.request.getDecodedFormParameters();
        this.event.event(EventType.LOGIN);
        SessionCodeChecks checksForCode = checksForCode(null, (String) decodedFormParameters.getFirst(SESSION_CODE), null, (String) this.session.getContext().getUri().getQueryParameters().getFirst("client_id"), (String) this.session.getContext().getUri().getQueryParameters().getFirst("tab_id"), (String) this.session.getContext().getUri().getQueryParameters().getFirst("client_data"), REQUIRED_ACTION);
        if (!checksForCode.verifyRequiredAction(CommonClientSessionModel.Action.OAUTH_GRANT.name())) {
            return checksForCode.getResponse();
        }
        AuthenticationSessionModel authenticationSession = checksForCode.getAuthenticationSession();
        initLoginEvent(authenticationSession);
        UserModel authenticatedUser = authenticationSession.getAuthenticatedUser();
        ClientModel client = authenticationSession.getClient();
        if (decodedFormParameters.containsKey("cancel")) {
            LoginProtocol provider = this.session.getProvider(LoginProtocol.class, authenticationSession.getProtocol());
            provider.setRealm(this.realm).setHttpHeaders(this.headers).setUriInfo(this.session.getContext().getUri()).setEventBuilder(this.event);
            Response sendError = provider.sendError(authenticationSession, LoginProtocol.Error.CONSENT_DENIED, (String) null);
            this.event.error("rejected_by_user");
            return sendError;
        }
        if (DeviceGrantType.isDeviceCodeDeniedForDeviceVerificationFlow(this.session, this.realm, authenticationSession)) {
            this.event.error("rejected_by_user");
            return DeviceGrantType.denyOAuth2DeviceAuthorization(authenticationSession, LoginProtocol.Error.CONSENT_DENIED, this.session);
        }
        UserConsentModel consentByClient = UserConsentManager.getConsentByClient(this.session, this.realm, authenticatedUser, client.getId());
        if (consentByClient == null) {
            consentByClient = new UserConsentModel(client);
            UserConsentManager.addConsent(this.session, this.realm, authenticatedUser, consentByClient);
        }
        boolean z = false;
        for (String str : authenticationSession.getClientScopes()) {
            ClientScopeModel findClientScopeById = KeycloakModelUtils.findClientScopeById(this.realm, client, str);
            if (findClientScopeById == null) {
                logger.warnf("Client scope or client with ID '%s' not found", str);
            } else if (!consentByClient.isClientScopeGranted(findClientScopeById) && findClientScopeById.isDisplayOnConsentScreen()) {
                consentByClient.addGrantedClientScope(findClientScopeById);
                z = true;
            }
        }
        if (z) {
            UserConsentManager.updateConsent(this.session, this.realm, authenticatedUser, consentByClient);
        }
        this.event.detail(OIDCLoginProtocol.PROMPT_VALUE_CONSENT, "consent_granted");
        this.event.success();
        ClientSessionContext attachSession = AuthenticationProcessor.attachSession(authenticationSession, null, this.session, this.realm, this.clientConnection, this.event);
        return AuthenticationManager.redirectAfterSuccessfulFlow(this.session, this.realm, attachSession.getClientSession().getUserSession(), attachSession, this.request, this.session.getContext().getUri(), this.clientConnection, this.event, authenticationSession);
    }

    private void initLoginEvent(AuthenticationSessionModel authenticationSessionModel) {
        String clientNote = authenticationSessionModel.getClientNote("response_type");
        if (clientNote == null) {
            clientNote = "code";
        }
        this.event.event(EventType.LOGIN).client(authenticationSessionModel.getClient()).detail("code_id", authenticationSessionModel.getParentSession().getId()).detail("redirect_uri", authenticationSessionModel.getRedirectUri()).detail("auth_method", authenticationSessionModel.getProtocol()).detail("response_type", clientNote).detail(OIDCLoginProtocol.RESPONSE_MODE_PARAM, OIDCResponseMode.parse(authenticationSessionModel.getClientNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM), OIDCResponseType.parse(clientNote)).toString().toLowerCase());
        UserModel authenticatedUser = authenticationSessionModel.getAuthenticatedUser();
        if (authenticatedUser != null) {
            this.event.user(authenticatedUser).detail("username", authenticatedUser.getUsername());
        }
        String authNote = authenticationSessionModel.getAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME);
        if (authNote != null) {
            this.event.detail("username", authNote);
        }
        String authNote2 = authenticationSessionModel.getAuthNote("remember_me");
        if (authNote2 == null || !authNote2.equalsIgnoreCase("true")) {
            authNote2 = SamlProtocol.ATTRIBUTE_FALSE_VALUE;
        }
        this.event.detail("remember_me", authNote2);
        Map userSessionNotes = authenticationSessionModel.getUserSessionNotes();
        String str = (String) userSessionNotes.get("identity_provider");
        if (str != null) {
            this.event.detail("identity_provider", str).detail("identity_provider_identity", (String) userSessionNotes.get("identity_provider_identity"));
        }
    }

    @POST
    @Path(REQUIRED_ACTION)
    public Response requiredActionPOST(@QueryParam("auth_session_id") String str, @QueryParam("session_code") String str2, @QueryParam("execution") String str3, @QueryParam("client_id") String str4, @QueryParam("client_data") String str5, @QueryParam("tab_id") String str6) {
        return processRequireAction(str, str2, str3, str4, str6, str5);
    }

    @Path(REQUIRED_ACTION)
    @GET
    public Response requiredActionGET(@QueryParam("auth_session_id") String str, @QueryParam("session_code") String str2, @QueryParam("execution") String str3, @QueryParam("client_id") String str4, @QueryParam("client_data") String str5, @QueryParam("tab_id") String str6) {
        return processRequireAction(str, str2, str3, str4, str6, str5);
    }

    private Response processRequireAction(String str, String str2, String str3, String str4, String str5, String str6) {
        Response interruptionResponse;
        this.event.event(EventType.CUSTOM_REQUIRED_ACTION);
        SessionCodeChecks checksForCode = checksForCode(str, str2, str3, str4, str5, str6, REQUIRED_ACTION);
        if (!checksForCode.verifyRequiredAction(str3)) {
            return checksForCode.getResponse();
        }
        AuthenticationSessionModel authenticationSession = checksForCode.getAuthenticationSession();
        processLocaleParam(authenticationSession);
        if (!checksForCode.isActionRequest()) {
            initLoginEvent(authenticationSession);
            this.event.event(EventType.CUSTOM_REQUIRED_ACTION);
            return AuthenticationManager.nextActionAfterAuthentication(this.session, authenticationSession, this.clientConnection, this.request, this.session.getContext().getUri(), this.event);
        }
        initLoginEvent(authenticationSession);
        this.event.event(EventType.CUSTOM_REQUIRED_ACTION);
        this.event.detail("custom_required_action", str3);
        RequiredActionFactory providerFactory = this.session.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, DefaultRequiredActions.getDefaultRequiredActionCaseInsensitively(str3));
        if (providerFactory == null) {
            ServicesLogger.LOGGER.actionProviderNull();
            this.event.error("invalid_code");
            throw new WebApplicationException(ErrorPage.error(this.session, authenticationSession, Response.Status.BAD_REQUEST, Messages.INVALID_CODE, new Object[0]));
        }
        RequiredActionContextResult requiredActionContextResult = new RequiredActionContextResult(authenticationSession, this.realm, this.event, this.session, this.request, authenticationSession.getAuthenticatedUser(), providerFactory) { // from class: org.keycloak.services.resources.LoginActionsService.2
            @Override // org.keycloak.authentication.RequiredActionContextResult
            public void ignore() {
                throw new RuntimeException("Cannot call ignore within processAction()");
            }
        };
        try {
            RequiredActionProvider createRequiredAction = AuthenticationManager.createRequiredAction(requiredActionContextResult);
            if (isCancelAppInitiatedAction(providerFactory.getId(), authenticationSession, requiredActionContextResult)) {
                createRequiredAction.initiatedActionCanceled(this.session, authenticationSession);
                AuthenticationManager.setKcActionStatus(providerFactory.getId(), RequiredActionContext.KcActionStatus.CANCELLED, authenticationSession);
                requiredActionContextResult.success();
            } else {
                createRequiredAction.processAction(requiredActionContextResult);
            }
            if (str3 != null) {
                authenticationSession.setAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION, str3);
            }
            if (requiredActionContextResult.getStatus() == RequiredActionContext.Status.SUCCESS) {
                this.event.clone().success();
                initLoginEvent(authenticationSession);
                this.event.event(EventType.LOGIN);
                authenticationSession.removeRequiredAction(providerFactory.getId());
                authenticationSession.getAuthenticatedUser().removeRequiredAction(providerFactory.getId());
                authenticationSession.removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION);
                AuthenticationManager.setKcActionStatus(providerFactory.getId(), RequiredActionContext.KcActionStatus.SUCCESS, authenticationSession);
                interruptionResponse = AuthenticationManager.nextActionAfterAuthentication(this.session, authenticationSession, this.clientConnection, this.request, this.session.getContext().getUri(), this.event);
            } else if (requiredActionContextResult.getStatus() == RequiredActionContext.Status.CHALLENGE) {
                interruptionResponse = requiredActionContextResult.getChallenge();
            } else {
                if (requiredActionContextResult.getStatus() != RequiredActionContext.Status.FAILURE) {
                    throw new RuntimeException("Unreachable");
                }
                interruptionResponse = interruptionResponse(requiredActionContextResult, authenticationSession, str3, LoginProtocol.Error.CONSENT_DENIED);
            }
            return BrowserHistoryHelper.getInstance().saveResponseAndRedirect(this.session, authenticationSession, interruptionResponse, true, this.request);
        } catch (AuthenticationFlowException e) {
            if (e.getResponse() != null) {
                return e.getResponse();
            }
            throw new WebApplicationException(ErrorPage.error(this.session, authenticationSession, Response.Status.BAD_REQUEST, Messages.DISPLAY_UNSUPPORTED, new Object[0]));
        }
    }

    private Response interruptionResponse(RequiredActionContextResult requiredActionContextResult, AuthenticationSessionModel authenticationSessionModel, String str, LoginProtocol.Error error) {
        LoginProtocol provider = requiredActionContextResult.getSession().getProvider(LoginProtocol.class, authenticationSessionModel.getProtocol());
        provider.setRealm(requiredActionContextResult.getRealm()).setHttpHeaders(requiredActionContextResult.getHttpRequest().getHttpHeaders()).setUriInfo(requiredActionContextResult.getUriInfo()).setEventBuilder(this.event);
        this.event.detail("custom_required_action", str);
        this.event.error("rejected_by_user");
        return provider.sendError(authenticationSessionModel, error, requiredActionContextResult.getErrorMessage());
    }

    private boolean isCancelAppInitiatedAction(String str, AuthenticationSessionModel authenticationSessionModel, RequiredActionContextResult requiredActionContextResult) {
        if (!str.equals(authenticationSessionModel.getClientNote("kc_action_executing")) || Boolean.TRUE.toString().equals(authenticationSessionModel.getClientNote("kc_action_enforced"))) {
            return false;
        }
        return requiredActionContextResult.getHttpRequest().getDecodedFormParameters().getFirst(CANCEL_AIA) != null;
    }

    public Response preHandleActionToken(String str) {
        return handleActionToken(str, null, null, null, null, (v0, v1, v2) -> {
            return v0.preHandleToken(v1, v2);
        });
    }
}
