package org.keycloak.protocol.oidc.tokenexchange;

import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriInfo;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import org.jboss.logging.Logger;
import org.keycloak.authentication.authenticators.util.AuthenticatorUtils;
import org.keycloak.authorization.authorization.AuthorizationTokenService;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.broker.oidc.OIDCIdentityProvider;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.ExchangeExternalToken;
import org.keycloak.broker.provider.ExchangeTokenToIdentityProviderToken;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.IdentityProviderMapper;
import org.keycloak.broker.provider.IdentityProviderMapperSyncModeDelegate;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.Profile;
import org.keycloak.common.util.Base64Url;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.ImpersonationSessionNote;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.light.LightweightUserAdapter;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.TokenExchangeContext;
import org.keycloak.protocol.oidc.TokenExchangeProvider;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.endpoints.TokenEndpoint;
import org.keycloak.protocol.saml.SamlClient;
import org.keycloak.protocol.saml.SamlService;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.saml.common.constants.GeneralConstants;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.Urls;
import org.keycloak.services.cors.Cors;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.managers.BruteForceProtector;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.services.resources.IdentityBrokerService;
import org.keycloak.services.resources.admin.permissions.AdminPermissionManagement;
import org.keycloak.services.resources.admin.permissions.AdminPermissions;
import org.keycloak.services.validation.Validation;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.RootAuthenticationSessionModel;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/protocol/oidc/tokenexchange/AbstractTokenExchangeProvider.class */
public abstract class AbstractTokenExchangeProvider implements TokenExchangeProvider {
    private static final Logger logger = Logger.getLogger(AbstractTokenExchangeProvider.class);
    protected TokenExchangeContext.Params params;
    protected MultivaluedMap<String, String> formParams;
    protected KeycloakSession session;
    protected Cors cors;
    protected RealmModel realm;
    protected ClientModel client;
    protected EventBuilder event;
    protected ClientConnection clientConnection;
    protected HttpHeaders headers;
    protected TokenManager tokenManager;
    protected Map<String, String> clientAuthAttributes;
    protected TokenExchangeContext context;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/keycloak/protocol/oidc/tokenexchange/AbstractTokenExchangeProvider$ExternalExchangeContext.class */
    public static final class ExternalExchangeContext extends Record {
        private final ExchangeExternalToken provider;
        private final IdentityProviderModel idpModel;

        ExternalExchangeContext(ExchangeExternalToken exchangeExternalToken, IdentityProviderModel identityProviderModel) {
            this.provider = exchangeExternalToken;
            this.idpModel = identityProviderModel;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ExternalExchangeContext.class), ExternalExchangeContext.class, "provider;idpModel", "FIELD:Lorg/keycloak/protocol/oidc/tokenexchange/AbstractTokenExchangeProvider$ExternalExchangeContext;->provider:Lorg/keycloak/broker/provider/ExchangeExternalToken;", "FIELD:Lorg/keycloak/protocol/oidc/tokenexchange/AbstractTokenExchangeProvider$ExternalExchangeContext;->idpModel:Lorg/keycloak/models/IdentityProviderModel;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ExternalExchangeContext.class), ExternalExchangeContext.class, "provider;idpModel", "FIELD:Lorg/keycloak/protocol/oidc/tokenexchange/AbstractTokenExchangeProvider$ExternalExchangeContext;->provider:Lorg/keycloak/broker/provider/ExchangeExternalToken;", "FIELD:Lorg/keycloak/protocol/oidc/tokenexchange/AbstractTokenExchangeProvider$ExternalExchangeContext;->idpModel:Lorg/keycloak/models/IdentityProviderModel;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ExternalExchangeContext.class, Object.class), ExternalExchangeContext.class, "provider;idpModel", "FIELD:Lorg/keycloak/protocol/oidc/tokenexchange/AbstractTokenExchangeProvider$ExternalExchangeContext;->provider:Lorg/keycloak/broker/provider/ExchangeExternalToken;", "FIELD:Lorg/keycloak/protocol/oidc/tokenexchange/AbstractTokenExchangeProvider$ExternalExchangeContext;->idpModel:Lorg/keycloak/models/IdentityProviderModel;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public ExchangeExternalToken provider() {
            return this.provider;
        }

        public IdentityProviderModel idpModel() {
            return this.idpModel;
        }
    }

    public Response exchange(TokenExchangeContext tokenExchangeContext) {
        this.params = tokenExchangeContext.getParams();
        this.formParams = tokenExchangeContext.getFormParams();
        this.session = tokenExchangeContext.getSession();
        this.cors = tokenExchangeContext.getCors();
        this.realm = tokenExchangeContext.getRealm();
        this.client = tokenExchangeContext.getClient();
        this.event = tokenExchangeContext.getEvent();
        this.clientConnection = tokenExchangeContext.getClientConnection();
        this.headers = tokenExchangeContext.getHeaders();
        this.tokenManager = (TokenManager) tokenExchangeContext.getTokenManager();
        this.clientAuthAttributes = tokenExchangeContext.getClientAuthAttributes();
        this.context = tokenExchangeContext;
        return tokenExchange();
    }

    public void close() {
    }

    protected abstract Response tokenExchange();

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isExternalInternalTokenExchangeRequest(TokenExchangeContext tokenExchangeContext) {
        String subjectToken = tokenExchangeContext.getParams().getSubjectToken();
        KeycloakSession session = tokenExchangeContext.getSession();
        RealmModel realm = tokenExchangeContext.getRealm();
        EventBuilder event = tokenExchangeContext.getEvent();
        if (subjectToken == null) {
            return false;
        }
        String subjectTokenType = tokenExchangeContext.getParams().getSubjectTokenType();
        String realmIssuer = Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName());
        String subjectIssuer = getSubjectIssuer(tokenExchangeContext, subjectToken, subjectTokenType);
        if (subjectIssuer == null || realmIssuer.equals(subjectIssuer)) {
            return false;
        }
        event.detail("subject_issuer", subjectIssuer);
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getSubjectIssuer(TokenExchangeContext tokenExchangeContext, String str, String str2) {
        String str3 = (String) tokenExchangeContext.getFormParams().getFirst("subject_issuer");
        if (str3 != null) {
            return str3;
        }
        if (!AuthorizationTokenService.CLAIM_TOKEN_FORMAT_JWT.equals(str2)) {
            return null;
        }
        try {
            return ((JsonWebToken) new JWSInput(str).readJsonContent(JsonWebToken.class)).getIssuer();
        } catch (JWSInputException e) {
            tokenExchangeContext.getEvent().detail("reason", "unable to parse jwt subject_token");
            tokenExchangeContext.getEvent().error("invalid_token");
            throw new CorsErrorResponseException(tokenExchangeContext.getCors(), "invalid_request", "Invalid token type, must be access token", Response.Status.BAD_REQUEST);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response exchangeToIdentityProvider(UserModel userModel, UserSessionModel userSessionModel, String str) {
        this.event.detail("requested_issuer", str);
        IdentityProviderModel byAlias = this.session.identityProviders().getByAlias(str);
        if (byAlias == null) {
            this.event.detail("reason", "unknown requested_issuer");
            this.event.error("unknown_identity_provider");
            throw new CorsErrorResponseException(this.cors, "invalid_request", "Invalid issuer", Response.Status.BAD_REQUEST);
        }
        ExchangeTokenToIdentityProviderToken identityProvider = IdentityBrokerService.getIdentityProvider(this.session, str);
        if (!(identityProvider instanceof ExchangeTokenToIdentityProviderToken)) {
            this.event.detail("reason", "exchange unsupported by requested_issuer");
            this.event.error("unknown_identity_provider");
            throw new CorsErrorResponseException(this.cors, "invalid_request", "Issuer does not support token exchange", Response.Status.BAD_REQUEST);
        }
        if (AdminPermissions.management(this.session, this.realm).idps().canExchangeTo(this.client, byAlias)) {
            return this.cors.add(Response.fromResponse(identityProvider.exchangeFromToken(this.session.getContext().getUri(), this.event, this.client, userSessionModel, userModel, this.formParams)));
        }
        this.event.detail("reason", "client not allowed to exchange for requested_issuer");
        this.event.error("not_allowed");
        throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
    }

    protected String getRequestedTokenType() {
        String str = (String) this.formParams.getFirst("requested_token_type");
        if (str == null) {
            return "urn:ietf:params:oauth:token-type:refresh_token";
        }
        if (str.equals("urn:ietf:params:oauth:token-type:access_token") || str.equals("urn:ietf:params:oauth:token-type:refresh_token") || str.equals("urn:ietf:params:oauth:token-type:saml2")) {
            return str;
        }
        this.event.detail("reason", "requested_token_type unsupported");
        this.event.error("invalid_request");
        throw new CorsErrorResponseException(this.cors, "invalid_request", "requested_token_type unsupported", Response.Status.BAD_REQUEST);
    }

    protected List<ClientModel> getTargetAudienceClients() {
        List<String> audience = this.params.getAudience();
        ArrayList arrayList = new ArrayList();
        if (audience != null) {
            for (String str : audience) {
                ClientModel clientByClientId = this.realm.getClientByClientId(str);
                if (clientByClientId == null) {
                    this.event.detail("reason", "audience not found");
                    this.event.detail("audience", str);
                    this.event.error("client_not_found");
                    throw new CorsErrorResponseException(this.cors, "invalid_client", "Audience not found", Response.Status.BAD_REQUEST);
                }
                arrayList.add(clientByClientId);
            }
        }
        if (arrayList.isEmpty()) {
            arrayList.add(this.client);
        }
        return arrayList;
    }

    protected void validateAudience(AccessToken accessToken, boolean z, List<ClientModel> list) {
        ClientModel clientByClientId = accessToken == null ? null : this.realm.getClientByClientId(accessToken.getIssuedFor());
        for (ClientModel clientModel : list) {
            if (clientModel.isConsentRequired()) {
                this.event.detail("reason", "audience requires consent");
                this.event.detail("audience", clientModel.getClientId());
                this.event.error("consent_denied");
                throw new CorsErrorResponseException(this.cors, "invalid_client", "Client requires user consent", Response.Status.BAD_REQUEST);
            }
            if (!clientModel.isEnabled()) {
                this.event.detail("reason", "audience client disabled");
                this.event.detail("audience", clientModel.getClientId());
                this.event.error("client_disabled");
                throw new CorsErrorResponseException(this.cors, "invalid_client", "Client disabled", Response.Status.BAD_REQUEST);
            }
            if (!clientModel.equals(this.client)) {
                if (this.client.isPublicClient()) {
                    forbiddenIfClientIsNotTokenHolder(z, clientByClientId);
                }
                if (!AdminPermissions.management(this.session, this.realm).clients().canExchangeTo(this.client, clientModel, accessToken)) {
                    this.event.detail("reason", "client not allowed to exchange to audience");
                    this.event.detail("audience", clientModel.getClientId());
                    this.event.error("not_allowed");
                    throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
                }
            } else if (this.client.isPublicClient()) {
                forbiddenIfClientIsNotTokenHolder(z, clientByClientId);
            } else if (!this.client.equals(clientByClientId)) {
                forbiddenIfClientIsNotWithinTokenAudience(accessToken);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response exchangeClientToClient(UserModel userModel, UserSessionModel userSessionModel, AccessToken accessToken, boolean z) {
        String requestedTokenType = getRequestedTokenType();
        this.event.detail("requested_token_type", requestedTokenType);
        List<ClientModel> targetAudienceClients = getTargetAudienceClients();
        validateAudience(accessToken, z, targetAudienceClients);
        String requestedScope = getRequestedScope(accessToken, targetAudienceClients);
        try {
            setClientToContext(targetAudienceClients);
            if (getSupportedOAuthResponseTokenTypes().contains(requestedTokenType)) {
                Response exchangeClientToOIDCClient = exchangeClientToOIDCClient(userModel, userSessionModel, requestedTokenType, targetAudienceClients, requestedScope, accessToken);
                this.session.getContext().setClient(this.client);
                return exchangeClientToOIDCClient;
            }
            if (!"urn:ietf:params:oauth:token-type:saml2".equals(requestedTokenType)) {
                this.session.getContext().setClient(this.client);
                throw new CorsErrorResponseException(this.cors, "invalid_request", "requested_token_type unsupported", Response.Status.BAD_REQUEST);
            }
            Response exchangeClientToSAML2Client = exchangeClientToSAML2Client(userModel, userSessionModel, requestedTokenType, targetAudienceClients);
            this.session.getContext().setClient(this.client);
            return exchangeClientToSAML2Client;
        } catch (Throwable th) {
            this.session.getContext().setClient(this.client);
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void forbiddenIfClientIsNotWithinTokenAudience(AccessToken accessToken) {
        if (accessToken == null || accessToken.hasAudience(this.client.getClientId())) {
            return;
        }
        this.event.detail("reason", "client is not within the token audience");
        this.event.error("not_allowed");
        throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client is not within the token audience", Response.Status.FORBIDDEN);
    }

    protected void forbiddenIfClientIsNotTokenHolder(boolean z, ClientModel clientModel) {
        if (!z || this.client.equals(clientModel)) {
            return;
        }
        this.event.detail("reason", "client is not the token holder");
        this.event.error("not_allowed");
        throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client is not the holder of the token", Response.Status.FORBIDDEN);
    }

    protected List<String> getSupportedOAuthResponseTokenTypes() {
        return Arrays.asList("urn:ietf:params:oauth:token-type:access_token", "urn:ietf:params:oauth:token-type:refresh_token");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthenticationSessionModel createSessionModel(UserSessionModel userSessionModel, RootAuthenticationSessionModel rootAuthenticationSessionModel, UserModel userModel, ClientModel clientModel, String str) {
        AuthenticationSessionModel createAuthenticationSession = rootAuthenticationSessionModel.createAuthenticationSession(clientModel);
        createAuthenticationSession.setAuthenticatedUser(userModel);
        createAuthenticationSession.setProtocol("openid-connect");
        createAuthenticationSession.setClientNote("iss", Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName()));
        createAuthenticationSession.setClientNote("scope", str);
        return createAuthenticationSession;
    }

    protected String getRequestedScope(AccessToken accessToken, List<ClientModel> list) {
        String str;
        ClientModel clientModel = list.get(0);
        if (list.size() > 1) {
            logger.warnf("Only one value of audience parameter currently supported for token exchange. Using audience '%s' and ignoring the other audiences provided", clientModel.getClientId());
        }
        String str2 = (String) this.formParams.getFirst("scope");
        if (accessToken != null && accessToken.getScope() != null && str2 == null) {
            String scope = accessToken.getScope();
            HashSet hashSet = new HashSet();
            hashSet.addAll(clientModel.getClientScopes(true).keySet());
            hashSet.addAll(clientModel.getClientScopes(false).keySet());
            str2 = (String) Arrays.stream(scope.split(" ")).filter(str3 -> {
                if (!OIDCIdentityProvider.SCOPE_OPENID.equals(str3)) {
                    if (!hashSet.contains(Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES) ? str3.split(":")[0] : str3)) {
                        return false;
                    }
                }
                return true;
            }).collect(Collectors.joining(" "));
        } else if (accessToken != null && accessToken.getScope() != null) {
            String scope2 = accessToken.getScope();
            if (Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES)) {
                Set set = (Set) Arrays.stream(scope2.split(" ")).map(str4 -> {
                    return str4.split(":")[0];
                }).collect(Collectors.toSet());
                str = (String) Arrays.stream(str2.split(" ")).filter(str5 -> {
                    return set.contains(str5.split(":")[0]);
                }).collect(Collectors.joining(" "));
            } else {
                Set set2 = (Set) Arrays.stream(scope2.split(" ")).collect(Collectors.toSet());
                str = (String) Arrays.stream(str2.split(" ")).filter(str6 -> {
                    return set2.contains(str6);
                }).collect(Collectors.joining(" "));
            }
            HashSet hashSet2 = new HashSet();
            hashSet2.addAll(clientModel.getClientScopes(true).keySet());
            hashSet2.addAll(clientModel.getClientScopes(false).keySet());
            str2 = (String) Arrays.stream(str.split(" ")).filter(str7 -> {
                if (!OIDCIdentityProvider.SCOPE_OPENID.equals(str7)) {
                    if (!hashSet2.contains(Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES) ? str7.split(":")[0] : str7)) {
                        return false;
                    }
                }
                return true;
            }).collect(Collectors.joining(" "));
        }
        return str2;
    }

    protected void setClientToContext(List<ClientModel> list) {
        this.session.getContext().setClient(getTargetClient(list));
    }

    protected ClientModel getTargetClient(List<ClientModel> list) {
        return list.get(0);
    }

    protected Response exchangeClientToOIDCClient(UserModel userModel, UserSessionModel userSessionModel, String str, List<ClientModel> list, String str2, AccessToken accessToken) {
        Object obj;
        ClientModel targetClient = getTargetClient(list);
        RootAuthenticationSessionModel createAuthenticationSession = new AuthenticationSessionManager(this.session).createAuthenticationSession(this.realm, false);
        AuthenticationSessionModel createSessionModel = createSessionModel(userSessionModel, createAuthenticationSession, userModel, targetClient, str2);
        AuthenticationManager.setClientScopesInSession(this.session, createSessionModel);
        ClientSessionContext attachAuthenticationSession = TokenManager.attachAuthenticationSession(this.session, userSessionModel, createSessionModel);
        if (!AuthenticationManager.isClientSessionValid(this.realm, this.client, userSessionModel, userSessionModel.getAuthenticatedClientSessionByClient(this.client.getId()))) {
            TokenManager.attachAuthenticationSession(this.session, userSessionModel, createSessionModel(userSessionModel, createAuthenticationSession, userModel, this.client, str2));
        }
        updateUserSessionFromClientAuth(userSessionModel);
        TokenManager.AccessTokenResponseBuilder generateAccessToken = this.tokenManager.responseBuilder(this.realm, targetClient, this.event, this.session, userSessionModel, attachAuthenticationSession).generateAccessToken();
        generateAccessToken.getAccessToken().issuedFor(this.client.getClientId());
        if (targetClient != null && !targetClient.equals(this.client)) {
            generateAccessToken.getAccessToken().addAudience(targetClient.getClientId());
        }
        if (this.formParams.containsKey("requested_subject")) {
            userSessionModel.setNote(ImpersonationSessionNote.IMPERSONATOR_CLIENT.toString(), this.client.getId());
        }
        if (userSessionModel.getPersistenceState() == UserSessionModel.SessionPersistenceState.TRANSIENT) {
            generateAccessToken.getAccessToken().setSessionId((String) null);
        }
        if (str.equals("urn:ietf:params:oauth:token-type:refresh_token") && OIDCAdvancedConfigWrapper.fromClientModel(this.client).isUseRefreshToken() && userSessionModel.getPersistenceState() != UserSessionModel.SessionPersistenceState.TRANSIENT) {
            generateAccessToken.generateRefreshToken();
            generateAccessToken.getRefreshToken().issuedFor(this.client.getClientId());
            obj = "urn:ietf:params:oauth:token-type:refresh_token";
        } else {
            obj = "urn:ietf:params:oauth:token-type:access_token";
        }
        if (TokenUtil.isOIDCRequest(attachAuthenticationSession.getClientSession().getNote("scope"))) {
            generateAccessToken.generateIDToken().generateAccessTokenHash();
        }
        AccessTokenResponse build = generateAccessToken.build();
        build.setOtherClaims("issued_token_type", obj);
        this.event.detail("audience", targetClient.getClientId()).user(userModel);
        this.event.success();
        return this.cors.add(Response.ok(build, MediaType.APPLICATION_JSON_TYPE));
    }

    protected Response exchangeClientToSAML2Client(UserModel userModel, UserSessionModel userSessionModel, String str, List<ClientModel> list) {
        ClientModel targetClient = getTargetClient(list);
        AuthenticationSessionModel orCreateLoginSessionForIdpInitiatedSso = ((SamlService) this.session.getKeycloakSessionFactory().getProviderFactory(LoginProtocol.class, "saml").createProtocolEndpoint(this.session, this.event)).getOrCreateLoginSessionForIdpInitiatedSso(this.session, this.realm, targetClient, null);
        if (orCreateLoginSessionForIdpInitiatedSso == null) {
            logger.error("SAML assertion consumer url not set up");
            throw new CorsErrorResponseException(this.cors, "invalid_client", "Client requires assertion consumer url set up", Response.Status.BAD_REQUEST);
        }
        orCreateLoginSessionForIdpInitiatedSso.setAuthenticatedUser(userModel);
        this.event.session(userSessionModel);
        AuthenticationManager.setClientScopesInSession(this.session, orCreateLoginSessionForIdpInitiatedSso);
        ClientSessionContext attachAuthenticationSession = TokenManager.attachAuthenticationSession(this.session, userSessionModel, orCreateLoginSessionForIdpInitiatedSso);
        updateUserSessionFromClientAuth(userSessionModel);
        SamlClient samlClient = new SamlClient(targetClient);
        Response authenticated = new TokenEndpoint.TokenExchangeSamlProtocol(samlClient).m531setEventBuilder(this.event).m532setHttpHeaders(this.headers).m534setRealm(this.realm).m535setSession(this.session).m533setUriInfo((UriInfo) this.session.getContext().getUri()).authenticated(orCreateLoginSessionForIdpInitiatedSso, userSessionModel, attachAuthenticationSession);
        if (authenticated.getStatus() != 200) {
            throw new CorsErrorResponseException(this.cors, "invalid_request", "Can not get SAML 2.0 token", Response.Status.BAD_REQUEST);
        }
        String encode = Base64Url.encode(((String) authenticated.getEntity()).getBytes(GeneralConstants.SAML_CHARSET));
        int assertionLifespan = samlClient.getAssertionLifespan();
        AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
        accessTokenResponse.setToken(encode);
        accessTokenResponse.setTokenType("Bearer");
        accessTokenResponse.setExpiresIn(assertionLifespan <= 0 ? this.realm.getAccessCodeLifespan() : assertionLifespan);
        accessTokenResponse.setOtherClaims("issued_token_type", str);
        this.event.detail("audience", targetClient.getClientId()).user(userModel);
        this.event.success();
        return this.cors.add(Response.ok(accessTokenResponse, MediaType.APPLICATION_JSON_TYPE));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response exchangeExternalToken(String str, String str2) {
        ExternalExchangeContext locateExchangeExternalTokenByAlias = locateExchangeExternalTokenByAlias(str);
        if (locateExchangeExternalTokenByAlias == null) {
            this.event.error("invalid_issuer");
            throw new CorsErrorResponseException(this.cors, "invalid_issuer", "Invalid subject_issuer parameter", Response.Status.BAD_REQUEST);
        }
        if (!AdminPermissions.management(this.session, this.realm).idps().canExchangeTo(this.client, locateExchangeExternalTokenByAlias.idpModel())) {
            this.event.detail("reason", "client not allowed to exchange subject_issuer");
            this.event.error("not_allowed");
            throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
        }
        BrokeredIdentityContext exchangeExternal = locateExchangeExternalTokenByAlias.provider().exchangeExternal(this.event, this.formParams);
        if (exchangeExternal == null) {
            this.event.error("invalid_issuer");
            throw new CorsErrorResponseException(this.cors, "invalid_issuer", "Invalid subject_issuer parameter", Response.Status.BAD_REQUEST);
        }
        UserModel importUserFromExternalIdentity = importUserFromExternalIdentity(exchangeExternal);
        UserSessionModel createUserSession = new UserSessionManager(this.session).createUserSession(this.realm, importUserFromExternalIdentity, importUserFromExternalIdentity.getUsername(), this.clientConnection.getRemoteHost(), "external-exchange", false, null, null);
        locateExchangeExternalTokenByAlias.provider().exchangeExternalComplete(createUserSession, exchangeExternal, this.formParams);
        createUserSession.setNote("EXTERNAL_IDENTITY_PROVIDER", locateExchangeExternalTokenByAlias.idpModel().getAlias());
        createUserSession.setNote("FEDERATED_ACCESS_TOKEN", str2);
        exchangeExternal.addSessionNotesToUserSession(createUserSession);
        return exchangeClientToClient(importUserFromExternalIdentity, createUserSession, null, false);
    }

    protected UserModel importUserFromExternalIdentity(BrokeredIdentityContext brokeredIdentityContext) {
        String alias = brokeredIdentityContext.getIdpConfig().getAlias();
        brokeredIdentityContext.getIdp().preprocessFederatedIdentity(this.session, this.realm, brokeredIdentityContext);
        Set<IdentityProviderMapperModel> set = (Set) this.session.identityProviders().getMappersByAliasStream(brokeredIdentityContext.getIdpConfig().getAlias()).collect(Collectors.toSet());
        KeycloakSessionFactory keycloakSessionFactory = this.session.getKeycloakSessionFactory();
        for (IdentityProviderMapperModel identityProviderMapperModel : set) {
            keycloakSessionFactory.getProviderFactory(IdentityProviderMapper.class, identityProviderMapperModel.getIdentityProviderMapper()).preprocessFederatedIdentity(this.session, this.realm, identityProviderMapperModel, brokeredIdentityContext);
        }
        UserModel userByFederatedIdentity = brokeredIdentityContext.getIdpConfig().isTransientUsers() ? null : this.session.users().getUserByFederatedIdentity(this.realm, new FederatedIdentityModel(alias, brokeredIdentityContext.getId(), brokeredIdentityContext.getUsername(), brokeredIdentityContext.getToken()));
        if (userByFederatedIdentity == null || brokeredIdentityContext.getIdpConfig().isTransientUsers()) {
            logger.debugf("Federated user not found for provider '%s' and broker username '%s'.", alias, brokeredIdentityContext.getUsername());
            String modelUsername = brokeredIdentityContext.getModelUsername();
            if (modelUsername == null) {
                modelUsername = (!this.realm.isRegistrationEmailAsUsername() || Validation.isBlank(brokeredIdentityContext.getEmail())) ? brokeredIdentityContext.getUsername() == null ? brokeredIdentityContext.getIdpConfig().getAlias() + "." + brokeredIdentityContext.getId() : brokeredIdentityContext.getUsername() : brokeredIdentityContext.getEmail();
            }
            String trim = modelUsername.trim();
            brokeredIdentityContext.setModelUsername(trim);
            if (brokeredIdentityContext.getEmail() != null && !this.realm.isDuplicateEmailsAllowed() && this.session.users().getUserByEmail(this.realm, brokeredIdentityContext.getEmail()) != null) {
                this.event.error("federated_identity_account_exists");
                throw new CorsErrorResponseException(this.cors, "invalid_token", "User already exists", Response.Status.BAD_REQUEST);
            }
            if (this.session.users().getUserByUsername(this.realm, trim) != null) {
                this.event.error("federated_identity_account_exists");
                throw new CorsErrorResponseException(this.cors, "invalid_token", "User already exists", Response.Status.BAD_REQUEST);
            }
            userByFederatedIdentity = brokeredIdentityContext.getIdpConfig().isTransientUsers() ? new LightweightUserAdapter(this.session, this.realm, (brokeredIdentityContext.getAuthenticationSession() == null || brokeredIdentityContext.getAuthenticationSession().getParentSession() == null) ? null : brokeredIdentityContext.getAuthenticationSession().getParentSession().getId()) : this.session.users().addUser(this.realm, trim);
            userByFederatedIdentity.setEnabled(true);
            userByFederatedIdentity.setEmail(brokeredIdentityContext.getEmail());
            userByFederatedIdentity.setFirstName(brokeredIdentityContext.getFirstName());
            userByFederatedIdentity.setLastName(brokeredIdentityContext.getLastName());
            if (!brokeredIdentityContext.getIdpConfig().isTransientUsers()) {
                this.session.users().addFederatedIdentity(this.realm, userByFederatedIdentity, new FederatedIdentityModel(brokeredIdentityContext.getIdpConfig().getAlias(), brokeredIdentityContext.getId(), brokeredIdentityContext.getModelUsername(), brokeredIdentityContext.getToken()));
            }
            brokeredIdentityContext.getIdp().importNewUser(this.session, this.realm, userByFederatedIdentity, brokeredIdentityContext);
            for (IdentityProviderMapperModel identityProviderMapperModel2 : set) {
                keycloakSessionFactory.getProviderFactory(IdentityProviderMapper.class, identityProviderMapperModel2.getIdentityProviderMapper()).importNewUser(this.session, this.realm, userByFederatedIdentity, identityProviderMapperModel2, brokeredIdentityContext);
            }
            if (brokeredIdentityContext.getIdpConfig().isTrustEmail() && !Validation.isBlank(userByFederatedIdentity.getEmail())) {
                logger.debugf("Email verified automatically after registration of user '%s' through Identity provider '%s' ", userByFederatedIdentity.getUsername(), brokeredIdentityContext.getIdpConfig().getAlias());
                userByFederatedIdentity.setEmailVerified(true);
            }
            this.event.clone().event(EventType.REGISTER).user(userByFederatedIdentity.getId()).detail("register_method", AdminPermissionManagement.TOKEN_EXCHANGE).detail("email", userByFederatedIdentity.getEmail()).detail("identity_provider", alias).success();
        } else {
            if (!userByFederatedIdentity.isEnabled()) {
                this.event.error("user_disabled");
                throw new CorsErrorResponseException(this.cors, "invalid_token", "Invalid Token", Response.Status.BAD_REQUEST);
            }
            String disabledByBruteForceEventError = AuthenticatorUtils.getDisabledByBruteForceEventError(this.session.getProvider(BruteForceProtector.class), this.session, this.realm, userByFederatedIdentity);
            if (disabledByBruteForceEventError != null) {
                this.event.error(disabledByBruteForceEventError);
                throw new CorsErrorResponseException(this.cors, "invalid_token", "Invalid Token", Response.Status.BAD_REQUEST);
            }
            brokeredIdentityContext.getIdp().updateBrokeredUser(this.session, this.realm, userByFederatedIdentity, brokeredIdentityContext);
            for (IdentityProviderMapperModel identityProviderMapperModel3 : set) {
                IdentityProviderMapperSyncModeDelegate.delegateUpdateBrokeredUser(this.session, this.realm, userByFederatedIdentity, identityProviderMapperModel3, brokeredIdentityContext, keycloakSessionFactory.getProviderFactory(IdentityProviderMapper.class, identityProviderMapperModel3.getIdentityProviderMapper()));
            }
        }
        for (Map.Entry entry : brokeredIdentityContext.getAttributes().entrySet().stream().sorted(Map.Entry.comparingByKey()).toList()) {
            if (!"username".equalsIgnoreCase((String) entry.getKey())) {
                userByFederatedIdentity.setAttribute((String) entry.getKey(), (List) entry.getValue());
            }
        }
        return userByFederatedIdentity;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void updateUserSessionFromClientAuth(UserSessionModel userSessionModel) {
        for (Map.Entry<String, String> entry : this.clientAuthAttributes.entrySet()) {
            userSessionModel.setNote(entry.getKey(), entry.getValue());
        }
    }

    private ExternalExchangeContext locateExchangeExternalTokenByAlias(String str) {
        try {
            ExchangeExternalToken identityProvider = IdentityBrokerService.getIdentityProvider(this.session, str);
            if (identityProvider instanceof ExchangeExternalToken) {
                return new ExternalExchangeContext(identityProvider, this.session.identityProviders().getByAlias(str));
            }
        } catch (IdentityBrokerException e) {
        }
        return (ExternalExchangeContext) this.session.identityProviders().getAllStream().map(identityProviderModel -> {
            ExchangeExternalToken identityProvider2 = IdentityBrokerService.getIdentityProvider(this.session, identityProviderModel.getAlias());
            if (!(identityProvider2 instanceof ExchangeExternalToken)) {
                return null;
            }
            ExchangeExternalToken exchangeExternalToken = identityProvider2;
            if (exchangeExternalToken.isIssuer(str, this.formParams)) {
                return new ExternalExchangeContext(exchangeExternalToken, identityProviderModel);
            }
            return null;
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).findFirst().orElse(null);
    }
}
