package org.keycloak.protocol.oidc.grants;

import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.keycloak.OAuthErrorException;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.events.EventType;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.grants.OAuth2GrantType;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.TokenRefreshContext;
import org.keycloak.services.clientpolicy.context.TokenRefreshResponseContext;
import org.keycloak.services.util.MtlsHoKTokenUtil;

/* loaded from: input_file:org/keycloak/protocol/oidc/grants/RefreshTokenGrantType.class */
public class RefreshTokenGrantType extends OAuth2GrantTypeBase {
    private static final Logger logger = Logger.getLogger(RefreshTokenGrantType.class);

    public Response process(OAuth2GrantType.Context context) {
        setContext(context);
        if (((String) this.formParams.getFirst(AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_REFRESH_TOKEN)) == null) {
            throw new CorsErrorResponseException(this.cors, "invalid_request", "No refresh token", Response.Status.BAD_REQUEST);
        }
        String requestedScopes = getRequestedScopes();
        try {
            this.session.clientPolicy().triggerOnEvent(new TokenRefreshContext(this.formParams));
            try {
                TokenManager.AccessTokenResponseBuilder refreshAccessToken = this.tokenManager.refreshAccessToken(this.session, this.session.getContext().getUri(), this.clientConnection, this.realm, this.client, (String) this.formParams.getFirst(AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_REFRESH_TOKEN), this.event, this.headers, this.request, requestedScopes);
                checkAndBindMtlsHoKToken(refreshAccessToken, this.clientConfig.isUseRefreshToken());
                this.session.clientPolicy().triggerOnEvent(new TokenRefreshResponseContext(this.formParams, refreshAccessToken));
                AccessTokenResponse build = refreshAccessToken.build();
                if (!refreshAccessToken.isOfflineToken()) {
                    UserSessionModel userSession = this.session.sessions().getUserSession(this.realm, build.getSessionState());
                    updateClientSession(userSession.getAuthenticatedClientSessionByClient(this.client.getId()));
                    updateUserSessionFromClientAuth(userSession);
                }
                this.event.success();
                return this.cors.add(Response.ok(build, MediaType.APPLICATION_JSON_TYPE));
            } catch (OAuthErrorException e) {
                logger.trace(e.getMessage(), e);
                if (MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC.equals(e.getDescription())) {
                    this.event.detail("reason", e.getDescription());
                    this.event.error("not_allowed");
                    throw new CorsErrorResponseException(this.cors, e.getError(), e.getDescription(), Response.Status.UNAUTHORIZED);
                }
                this.event.detail("reason", e.getDescription());
                this.event.error("invalid_token");
                throw new CorsErrorResponseException(this.cors, e.getError(), e.getDescription(), Response.Status.BAD_REQUEST);
            } catch (ClientPolicyException e2) {
                this.event.detail("reason", "client_policy_error");
                this.event.detail("client_policy_error", e2.getError());
                this.event.detail("client_policy_error_detail", e2.getErrorDetail());
                this.event.error(e2.getError());
                throw new CorsErrorResponseException(this.cors, e2.getError(), e2.getErrorDetail(), e2.getErrorStatus());
            }
        } catch (ClientPolicyException e3) {
            this.event.detail("reason", "client_policy_error");
            this.event.detail("client_policy_error", e3.getError());
            this.event.detail("client_policy_error_detail", e3.getErrorDetail());
            this.event.error(e3.getError());
            throw new CorsErrorResponseException(this.cors, e3.getError(), e3.getErrorDetail(), e3.getErrorStatus());
        }
    }

    public EventType getEventType() {
        return EventType.REFRESH_TOKEN;
    }
}
