package org.keycloak.protocol.oidc;

import io.opentelemetry.api.trace.Span;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriInfo;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.function.BiConsumer;
import java.util.function.BinaryOperator;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.function.Supplier;
import java.util.stream.Collector;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.OAuthErrorException;
import org.keycloak.TokenCategory;
import org.keycloak.TokenVerifier;
import org.keycloak.authentication.authenticators.util.AcrStore;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.broker.oidc.OIDCIdentityProvider;
import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.Profile;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.Time;
import org.keycloak.crypto.HashProvider;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.http.HttpRequest;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.jose.jws.crypto.HashUtils;
import org.keycloak.migration.migrators.MigrationUtils;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserConsentModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.UserSessionProvider;
import org.keycloak.models.light.LightweightUserAdapter;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.RoleUtils;
import org.keycloak.models.utils.SessionExpirationUtils;
import org.keycloak.organization.protocol.mappers.oidc.OrganizationScope;
import org.keycloak.protocol.ProtocolMapper;
import org.keycloak.protocol.ProtocolMapperUtils;
import org.keycloak.protocol.oidc.encode.TokenContextEncoderProvider;
import org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper;
import org.keycloak.protocol.oidc.mappers.OIDCAccessTokenResponseMapper;
import org.keycloak.protocol.oidc.mappers.OIDCIDTokenMapper;
import org.keycloak.protocol.oidc.mappers.TokenIntrospectionTokenMapper;
import org.keycloak.protocol.oidc.mappers.UserInfoTokenMapper;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.rar.AuthorizationRequestContext;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.representations.LogoutToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.dpop.DPoP;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.managers.UserConsentManager;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.services.resources.IdentityBrokerService;
import org.keycloak.services.util.AuthorizationContextUtil;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.services.util.DefaultClientSessionContext;
import org.keycloak.services.util.MtlsHoKTokenUtil;
import org.keycloak.services.util.UserSessionUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.tracing.TracingAttributes;
import org.keycloak.tracing.TracingProvider;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/protocol/oidc/TokenManager.class */
public class TokenManager {
    private static final Logger logger = Logger.getLogger(TokenManager.class);

    /* loaded from: input_file:org/keycloak/protocol/oidc/TokenManager$AccessTokenResponseBuilder.class */
    public class AccessTokenResponseBuilder {
        RealmModel realm;
        ClientModel client;
        EventBuilder event;
        KeycloakSession session;
        UserSessionModel userSession;
        ClientSessionContext clientSessionCtx;
        AccessToken accessToken;
        RefreshToken refreshToken;
        IDToken idToken;
        String responseTokenType;
        String codeHash;
        String stateHash;
        private AccessTokenResponse response;
        boolean generateAccessTokenHash = false;
        boolean offlineToken = false;

        public AccessTokenResponseBuilder(RealmModel realmModel, ClientModel clientModel, EventBuilder eventBuilder, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
            this.realm = realmModel;
            this.client = clientModel;
            this.event = eventBuilder;
            this.session = keycloakSession;
            this.userSession = userSessionModel;
            this.clientSessionCtx = clientSessionContext;
            this.responseTokenType = TokenManager.this.formatTokenType(clientModel, null);
        }

        public AccessToken getAccessToken() {
            return this.accessToken;
        }

        public RefreshToken getRefreshToken() {
            return this.refreshToken;
        }

        public IDToken getIdToken() {
            return this.idToken;
        }

        public AccessTokenResponseBuilder accessToken(AccessToken accessToken) {
            this.accessToken = accessToken;
            this.responseTokenType = TokenManager.this.formatTokenType(this.client, accessToken);
            return this;
        }

        public AccessTokenResponseBuilder refreshToken(RefreshToken refreshToken) {
            this.refreshToken = refreshToken;
            return this;
        }

        public AccessTokenResponseBuilder responseTokenType(String str) {
            this.responseTokenType = str;
            return this;
        }

        public AccessTokenResponseBuilder offlineToken(boolean z) {
            this.offlineToken = z;
            return this;
        }

        public AccessTokenResponseBuilder generateAccessToken() {
            this.accessToken = TokenManager.this.createClientAccessToken(this.session, this.realm, this.client, this.userSession.getUser(), this.userSession, this.clientSessionCtx);
            this.responseTokenType = TokenManager.this.formatTokenType(this.client, this.accessToken);
            return this;
        }

        public AccessTokenResponseBuilder generateRefreshToken() {
            if (this.accessToken == null) {
                throw new IllegalStateException("accessToken not set");
            }
            generateRefreshToken(this.clientSessionCtx.isOfflineTokenRequested());
            this.refreshToken.setScope(this.clientSessionCtx.getScopeString(true));
            if (this.realm.isRevokeRefreshToken()) {
                this.refreshToken.getOtherClaims().put("reuse_id", KeycloakModelUtils.generateId());
            }
            return this;
        }

        public AccessTokenResponseBuilder generateRefreshToken(RefreshToken refreshToken, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
            if (this.accessToken == null) {
                throw new IllegalStateException("accessToken not set");
            }
            String scope = refreshToken.getScope();
            Object obj = refreshToken.getOtherClaims().get("reuse_id");
            boolean contains = Arrays.asList(scope.split(" ")).contains("offline_access");
            if (contains) {
                this.clientSessionCtx = DefaultClientSessionContext.fromClientSessionAndScopeParameter(authenticatedClientSessionModel, scope, this.session);
                if (refreshToken.getNonce() != null) {
                    this.clientSessionCtx.setAttribute(OIDCLoginProtocol.NONCE_PARAM, refreshToken.getNonce());
                }
            }
            generateRefreshToken(contains);
            if (this.realm.isRevokeRefreshToken()) {
                this.refreshToken.getOtherClaims().put("reuse_id", obj);
                authenticatedClientSessionModel.setRefreshTokenLastRefresh(TokenManager.this.getReuseIdKey(refreshToken), this.refreshToken.getIat().intValue());
            }
            this.refreshToken.setScope(scope);
            return this;
        }

        private void generateRefreshToken(boolean z) {
            AuthenticatedClientSessionModel clientSession = this.clientSessionCtx.getClientSession();
            this.refreshToken = new RefreshToken(this.accessToken, getConfirmation(clientSession, this.accessToken));
            this.refreshToken.id(KeycloakModelUtils.generateId());
            this.refreshToken.issuedNow();
            clientSession.setTimestamp(this.refreshToken.getIat().intValue());
            UserSessionModel userSession = clientSession.getUserSession();
            userSession.setLastSessionRefresh(this.refreshToken.getIat().intValue());
            if (z) {
                UserSessionManager userSessionManager = new UserSessionManager(this.session);
                if (!userSessionManager.isOfflineTokenAllowed(this.clientSessionCtx)) {
                    this.event.detail("reason", "Offline tokens not allowed for the user or client");
                    this.event.error("not_allowed");
                    throw new ErrorResponseException("not_allowed", "Offline tokens not allowed for the user or client", Response.Status.BAD_REQUEST);
                }
                this.refreshToken.type("Offline");
                if (this.realm.isOfflineSessionMaxLifespanEnabled()) {
                    this.refreshToken.exp(getExpiration(true));
                }
                userSessionManager.createOrUpdateOfflineSession(this.clientSessionCtx.getClientSession(), userSession);
            } else {
                this.refreshToken.exp(getExpiration(false));
            }
            ClientModel[] clientModelArr = (ClientModel[]) this.clientSessionCtx.getAttribute("req-aud-clients", ClientModel[].class);
            if (clientModelArr != null) {
                this.refreshToken.getOtherClaims().put("req-aud", Arrays.stream(clientModelArr).map((v0) -> {
                    return v0.getClientId();
                }).collect(Collectors.toSet()));
            }
        }

        private AccessToken.Confirmation getConfirmation(AuthenticatedClientSessionModel authenticatedClientSessionModel, AccessToken accessToken) {
            if (authenticatedClientSessionModel.getClient().isPublicClient()) {
                return accessToken.getConfirmation();
            }
            return null;
        }

        private Long getExpiration(boolean z) {
            long calculateClientSessionIdleTimestamp = SessionExpirationUtils.calculateClientSessionIdleTimestamp(z, this.userSession.isRememberMe(), TimeUnit.SECONDS.toMillis(this.clientSessionCtx.getClientSession().getTimestamp()), this.realm, this.client);
            long calculateClientSessionMaxLifespanTimestamp = SessionExpirationUtils.calculateClientSessionMaxLifespanTimestamp(z, this.userSession.isRememberMe(), TimeUnit.SECONDS.toMillis(this.clientSessionCtx.getClientSession().getStarted()), TimeUnit.SECONDS.toMillis(this.userSession.getStarted()), this.realm, this.client);
            return Long.valueOf(TimeUnit.MILLISECONDS.toSeconds(calculateClientSessionMaxLifespanTimestamp > 0 ? Math.min(calculateClientSessionIdleTimestamp, calculateClientSessionMaxLifespanTimestamp) : calculateClientSessionIdleTimestamp));
        }

        public AccessTokenResponseBuilder generateIDToken() {
            return generateIDToken(false);
        }

        public AccessTokenResponseBuilder generateIDToken(boolean z) {
            if (this.accessToken == null) {
                throw new IllegalStateException("accessToken not set");
            }
            this.idToken = new IDToken();
            this.idToken.id(KeycloakModelUtils.generateId());
            this.idToken.type("ID");
            this.idToken.subject(this.userSession.getUser().getId());
            this.idToken.audience(new String[]{this.client.getClientId()});
            this.idToken.issuedNow();
            this.idToken.issuedFor(this.accessToken.getIssuedFor());
            this.idToken.issuer(this.accessToken.getIssuer());
            this.idToken.setNonce((String) this.clientSessionCtx.getAttribute(OIDCLoginProtocol.NONCE_PARAM, String.class));
            this.idToken.setSessionId(this.accessToken.getSessionId());
            this.idToken.exp(this.accessToken.getExp());
            if (!Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION)) {
                this.idToken.setAcr(this.accessToken.getAcr());
            }
            if (!z) {
                this.idToken = TokenManager.this.transformIDToken(this.session, this.idToken, this.userSession, this.clientSessionCtx);
            }
            return this;
        }

        public AccessTokenResponseBuilder generateAccessTokenHash() {
            this.generateAccessTokenHash = true;
            return this;
        }

        public AccessTokenResponseBuilder generateCodeHash(String str) {
            this.codeHash = generateOIDCHash(str);
            return this;
        }

        public AccessTokenResponseBuilder generateStateHash(String str) {
            this.stateHash = generateOIDCHash(str);
            return this;
        }

        public boolean isOfflineToken() {
            return this.offlineToken;
        }

        public AccessTokenResponse build() {
            int notBeforeOfUser;
            if (this.response != null) {
                return this.response;
            }
            if (this.accessToken != null) {
                this.event.detail("token_id", this.accessToken.getId());
            }
            if (this.refreshToken != null) {
                if (this.event.getEvent().getDetails().containsKey("refresh_token_id")) {
                    this.event.detail("updated_refresh_token_id", this.refreshToken.getId());
                } else {
                    this.event.detail("refresh_token_id", this.refreshToken.getId());
                }
                this.event.detail("refresh_token_type", this.refreshToken.getType());
            }
            AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
            if (this.accessToken != null) {
                accessTokenResponse.setToken(this.session.tokens().encode(this.accessToken));
                accessTokenResponse.setTokenType(this.responseTokenType);
                accessTokenResponse.setSessionState(this.accessToken.getSessionState());
                if (this.accessToken.getExp().longValue() != 0) {
                    accessTokenResponse.setExpiresIn(this.accessToken.getExp().longValue() - Time.currentTime());
                }
            }
            if (this.generateAccessTokenHash) {
                this.idToken.setAccessTokenHash(generateOIDCHash(accessTokenResponse.getToken()));
            }
            if (this.codeHash != null) {
                this.idToken.setCodeHash(this.codeHash);
            }
            if (this.stateHash != null) {
                this.idToken.setStateHash(this.stateHash);
            }
            if (this.idToken != null) {
                accessTokenResponse.setIdToken(this.session.tokens().encodeAndEncrypt(this.idToken));
            }
            if (this.refreshToken != null) {
                accessTokenResponse.setRefreshToken(this.session.tokens().encode(this.refreshToken));
                Long exp = this.refreshToken.getExp();
                if (exp != null && exp.longValue() > 0) {
                    accessTokenResponse.setRefreshExpiresIn(exp.longValue() - Time.currentTime());
                }
            }
            int notBefore = this.realm.getNotBefore();
            if (this.client.getNotBefore() > notBefore) {
                notBefore = this.client.getNotBefore();
            }
            UserModel user = this.userSession.getUser();
            if (!LightweightUserAdapter.isLightweightUser(user) && (notBeforeOfUser = this.session.users().getNotBeforeOfUser(this.realm, user)) > notBefore) {
                notBefore = notBeforeOfUser;
            }
            accessTokenResponse.setNotBeforePolicy(notBefore);
            AccessTokenResponse transformAccessTokenResponse = TokenManager.this.transformAccessTokenResponse(this.session, accessTokenResponse, this.userSession, this.clientSessionCtx);
            String scopeString = this.clientSessionCtx.getScopeString();
            transformAccessTokenResponse.setScope(scopeString);
            this.event.detail("scope", scopeString);
            this.response = transformAccessTokenResponse;
            return this.response;
        }

        private String generateOIDCHash(String str) {
            return HashUtils.encodeHashToOIDC(this.session.getProvider(HashProvider.class, this.session.getProvider(SignatureProvider.class, this.session.tokens().signatureAlgorithm(TokenCategory.ID)).signer().getHashAlgorithm()).hash(str));
        }
    }

    /* loaded from: input_file:org/keycloak/protocol/oidc/TokenManager$NotBeforeCheck.class */
    public static class NotBeforeCheck implements TokenVerifier.Predicate<JsonWebToken> {
        private final int notBefore;

        public NotBeforeCheck(int i) {
            this.notBefore = i;
        }

        public boolean test(JsonWebToken jsonWebToken) throws VerificationException {
            if (jsonWebToken.getIat().longValue() < this.notBefore) {
                throw new VerificationException("Stale token");
            }
            return true;
        }

        public static NotBeforeCheck forModel(ClientModel clientModel) {
            if (clientModel == null) {
                return new NotBeforeCheck(0);
            }
            int notBefore = clientModel.getNotBefore();
            int notBefore2 = clientModel.getRealm().getNotBefore();
            return new NotBeforeCheck(notBefore == 0 ? notBefore2 : notBefore2 == 0 ? notBefore : Math.min(notBefore, notBefore2));
        }

        public static NotBeforeCheck forModel(RealmModel realmModel) {
            return new NotBeforeCheck(realmModel == null ? 0 : realmModel.getNotBefore());
        }

        public static NotBeforeCheck forModel(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
            return LightweightUserAdapter.isLightweightUser(userModel) ? new NotBeforeCheck((int) (((LightweightUserAdapter) userModel).getCreatedTimestamp().longValue() / 1000)) : new NotBeforeCheck(keycloakSession.users().getNotBeforeOfUser(realmModel, userModel));
        }
    }

    /* loaded from: input_file:org/keycloak/protocol/oidc/TokenManager$TokenCollector.class */
    private static abstract class TokenCollector<T> implements Collector<Map.Entry<ProtocolMapperModel, ProtocolMapper>, TokenCollector<T>, T> {
        private T token;

        public TokenCollector(T t) {
            this.token = t;
        }

        @Override // java.util.stream.Collector
        public Supplier<TokenCollector<T>> supplier() {
            return () -> {
                return this;
            };
        }

        @Override // java.util.stream.Collector
        public Function<TokenCollector<T>, T> finisher() {
            return tokenCollector -> {
                return tokenCollector.token;
            };
        }

        @Override // java.util.stream.Collector
        public Set<Collector.Characteristics> characteristics() {
            return Collections.emptySet();
        }

        @Override // java.util.stream.Collector
        public BinaryOperator<TokenCollector<T>> combiner() {
            return (tokenCollector, tokenCollector2) -> {
                throw new IllegalStateException("can't combine");
            };
        }

        @Override // java.util.stream.Collector
        public BiConsumer<TokenCollector<T>, Map.Entry<ProtocolMapperModel, ProtocolMapper>> accumulator() {
            return (tokenCollector, entry) -> {
                tokenCollector.token = applyMapper(tokenCollector.token, entry);
            };
        }

        protected abstract T applyMapper(T t, Map.Entry<ProtocolMapperModel, ProtocolMapper> entry);
    }

    /* loaded from: input_file:org/keycloak/protocol/oidc/TokenManager$TokenRevocationCheck.class */
    public static class TokenRevocationCheck implements TokenVerifier.Predicate<JsonWebToken> {
        private final KeycloakSession session;

        public TokenRevocationCheck(KeycloakSession keycloakSession) {
            this.session = keycloakSession;
        }

        public boolean test(JsonWebToken jsonWebToken) {
            return !this.session.singleUseObjects().contains(jsonWebToken.getId() + ".revoked");
        }
    }

    /* loaded from: input_file:org/keycloak/protocol/oidc/TokenManager$TokenValidation.class */
    public static class TokenValidation {
        public final UserModel user;
        public final UserSessionModel userSession;
        public final ClientSessionContext clientSessionCtx;
        public final AccessToken newToken;

        public TokenValidation(UserModel userModel, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext, AccessToken accessToken) {
            this.user = userModel;
            this.userSession = userSessionModel;
            this.clientSessionCtx = clientSessionContext;
            this.newToken = accessToken;
        }
    }

    public TokenValidation validateToken(KeycloakSession keycloakSession, UriInfo uriInfo, ClientConnection clientConnection, RealmModel realmModel, RefreshToken refreshToken, HttpHeaders httpHeaders, String str) throws OAuthErrorException {
        UserSessionModel userSession;
        boolean equals = "Offline".equals(refreshToken.getType());
        if (equals) {
            UserSessionManager userSessionManager = new UserSessionManager(keycloakSession);
            userSession = userSessionManager.findOfflineUserSession(realmModel, refreshToken.getSessionState());
            if (userSession == null) {
                throw new OAuthErrorException("invalid_grant", "Offline user session not found", "Offline user session not found");
            }
            if (!AuthenticationManager.isSessionValid(realmModel, userSession)) {
                userSessionManager.revokeOfflineUserSession(userSession);
                throw new OAuthErrorException("invalid_grant", "Offline session not active", "Offline session not active");
            }
        } else {
            userSession = keycloakSession.sessions().getUserSession(realmModel, refreshToken.getSessionState());
            if (!AuthenticationManager.isSessionValid(realmModel, userSession)) {
                AuthenticationManager.backchannelLogout(keycloakSession, realmModel, userSession, uriInfo, clientConnection, httpHeaders, true);
                throw new OAuthErrorException("invalid_grant", "Session not active", "Session not active");
            }
        }
        UserModel user = userSession.getUser();
        if (user == null) {
            throw new OAuthErrorException("invalid_grant", "Invalid refresh token", "Unknown user");
        }
        if (!user.isEnabled()) {
            throw new OAuthErrorException("invalid_grant", "User disabled", "User disabled");
        }
        if (refreshToken.isIssuedBeforeSessionStart(userSession.getStarted())) {
            logger.debug("Refresh token issued before the user session started");
            throw new OAuthErrorException("invalid_grant", "Refresh token issued before the user session started");
        }
        ClientModel client = keycloakSession.getContext().getClient();
        AuthenticatedClientSessionModel authenticatedClientSessionByClient = userSession.getAuthenticatedClientSessionByClient(client.getId());
        if (authenticatedClientSessionByClient == null) {
            userSession = keycloakSession.sessions().getUserSessionIfClientExists(realmModel, userSession.getId(), equals, client.getId());
            if (userSession == null) {
                throw new OAuthErrorException("invalid_grant", "Session doesn't have required client", "Session doesn't have required client");
            }
            authenticatedClientSessionByClient = userSession.getAuthenticatedClientSessionByClient(client.getId());
        }
        if (!AuthenticationManager.isClientSessionValid(realmModel, client, userSession, authenticatedClientSessionByClient)) {
            logger.debug("Client session not active");
            userSession.removeAuthenticatedClientSessions(Collections.singletonList(client.getId()));
            throw new OAuthErrorException("invalid_grant", "Client session not active");
        }
        if (refreshToken.isIssuedBeforeSessionStart(authenticatedClientSessionByClient.getStarted())) {
            logger.debug("refresh token issued before the client session started");
            throw new OAuthErrorException("invalid_grant", "refresh token issued before the client session started");
        }
        if (!client.getClientId().equals(refreshToken.getIssuedFor())) {
            throw new OAuthErrorException("invalid_grant", "Unmatching clients", "Unmatching clients");
        }
        try {
            TokenVerifier.createWithoutSignature(refreshToken).withChecks(new TokenVerifier.Predicate[]{NotBeforeCheck.forModel(client), NotBeforeCheck.forModel(keycloakSession, realmModel, user)}).verify();
            if (str == null && userSession.isOffline()) {
                logger.debugf("Migrating offline token of user '%s' for client '%s' of realm '%s'", user.getUsername(), client.getClientId(), realmModel.getName());
                MigrationUtils.migrateOldOfflineToken(keycloakSession, realmModel, client, user);
                str = "offline_access";
            }
            DefaultClientSessionContext fromClientSessionAndScopeParameter = DefaultClientSessionContext.fromClientSessionAndScopeParameter(authenticatedClientSessionByClient, str, keycloakSession);
            if (!verifyConsentStillAvailable(keycloakSession, user, client, fromClientSessionAndScopeParameter.getClientScopesStream())) {
                throw new OAuthErrorException("invalid_scope", "Client no longer has requested consent from user");
            }
            if (refreshToken.getNonce() != null) {
                fromClientSessionAndScopeParameter.setAttribute(OIDCLoginProtocol.NONCE_PARAM, refreshToken.getNonce());
            }
            fromClientSessionAndScopeParameter.setAttribute("grant_type", AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_REFRESH_TOKEN);
            return new TokenValidation(user, userSession, fromClientSessionAndScopeParameter, createClientAccessToken(keycloakSession, realmModel, client, user, userSession, fromClientSessionAndScopeParameter));
        } catch (VerificationException e) {
            throw new OAuthErrorException("invalid_grant", "Stale token");
        }
    }

    public static boolean isUserValid(KeycloakSession keycloakSession, RealmModel realmModel, AccessToken accessToken, UserModel userModel) {
        if (userModel == null) {
            logger.debugf("User does not exists", new Object[0]);
            return false;
        }
        if (!userModel.isEnabled()) {
            logger.debugf("User '%s' is disabled", userModel.getUsername());
            return false;
        }
        try {
            TokenVerifier.createWithoutSignature(accessToken).withChecks(new TokenVerifier.Predicate[]{NotBeforeCheck.forModel(keycloakSession, realmModel, userModel)}).verify();
            return true;
        } catch (VerificationException e) {
            logger.debugf("JWT check failed: %s", e.getMessage());
            return false;
        }
    }

    public static UserModel lookupUserFromStatelessToken(KeycloakSession keycloakSession, RealmModel realmModel, AccessToken accessToken) {
        UserModel userById = accessToken.getSubject() == null ? null : keycloakSession.users().getUserById(realmModel, accessToken.getSubject());
        if (userById != null) {
            return userById;
        }
        if (accessToken.getPreferredUsername() != null) {
            return keycloakSession.users().getUserByUsername(realmModel, accessToken.getPreferredUsername());
        }
        return null;
    }

    public AccessTokenResponseBuilder refreshAccessToken(KeycloakSession keycloakSession, UriInfo uriInfo, ClientConnection clientConnection, RealmModel realmModel, ClientModel clientModel, String str, EventBuilder eventBuilder, HttpHeaders httpHeaders, HttpRequest httpRequest, String str2) throws OAuthErrorException {
        RefreshToken verifyRefreshToken = verifyRefreshToken(keycloakSession, realmModel, clientModel, httpRequest, str, true);
        eventBuilder.session(verifyRefreshToken.getSessionState()).detail("refresh_token_id", verifyRefreshToken.getId()).detail("refresh_token_type", verifyRefreshToken.getType());
        if (verifyRefreshToken.getSubject() != null) {
            eventBuilder.detail("refresh_token_sub", verifyRefreshToken.getSubject());
        }
        String scope = verifyRefreshToken.getScope();
        if (str2 != null && !str2.isEmpty()) {
            scope = (String) Arrays.stream(scope.split(" ")).map(transformScopes(keycloakSession, (Set) Arrays.stream(str2.split(" ")).collect(Collectors.toSet()))).filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.joining(" "));
        }
        TokenValidation validateToken = validateToken(keycloakSession, uriInfo, clientConnection, realmModel, verifyRefreshToken, httpHeaders, scope);
        AuthenticatedClientSessionModel clientSession = validateToken.clientSessionCtx.getClientSession();
        OIDCAdvancedConfigWrapper fromClientModel = OIDCAdvancedConfigWrapper.fromClientModel(clientModel);
        if (!clientSession.getClient().getId().equals(clientModel.getId())) {
            throw new OAuthErrorException("invalid_grant", "Invalid refresh token. Token client and authorized client don't match");
        }
        validateTokenReuseForRefresh(keycloakSession, realmModel, verifyRefreshToken, validateToken);
        eventBuilder.user(validateToken.userSession.getUser());
        if (verifyRefreshToken.getAuthorization() != null) {
            validateToken.newToken.setAuthorization(verifyRefreshToken.getAuthorization());
        }
        Collection collection = (Collection) verifyRefreshToken.getOtherClaims().get("req-aud");
        if (collection != null) {
            validateToken.clientSessionCtx.setAttribute("req-aud-clients", collection.stream().map(str3 -> {
                return keycloakSession.clients().getClientByClientId(realmModel, str3);
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).toArray(i -> {
                return new ClientModel[i];
            }));
        }
        AccessTokenResponseBuilder accessToken = responseBuilder(realmModel, clientModel, eventBuilder, keycloakSession, validateToken.userSession, validateToken.clientSessionCtx).offlineToken("Offline".equals(verifyRefreshToken.getType())).accessToken(validateToken.newToken);
        if (fromClientModel.isUseRefreshToken()) {
            accessToken.generateRefreshToken(verifyRefreshToken, clientSession);
        }
        if (validateToken.newToken.getAuthorization() != null && fromClientModel.isUseRefreshToken()) {
            accessToken.getRefreshToken().setAuthorization(validateToken.newToken.getAuthorization());
        }
        if (TokenUtil.isOIDCRequest(clientSession.getNote("scope"))) {
            accessToken.generateIDToken().generateAccessTokenHash();
        }
        storeRefreshTimingInformation(eventBuilder, verifyRefreshToken, validateToken.newToken);
        return accessToken;
    }

    private Function<String, String> transformScopes(KeycloakSession keycloakSession, Set<String> set) {
        return str -> {
            OrganizationScope valueOfScope;
            if (set.contains(str)) {
                return str;
            }
            if (!Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION) || (valueOfScope = OrganizationScope.valueOfScope(keycloakSession, str)) == null) {
                return null;
            }
            return valueOfScope.resolveName(keycloakSession, set, str);
        };
    }

    private void storeRefreshTimingInformation(EventBuilder eventBuilder, RefreshToken refreshToken, AccessToken accessToken) {
        long longValue = accessToken.getExp().longValue() - accessToken.getIat().longValue();
        long longValue2 = accessToken.getIat().longValue() - refreshToken.getIat().longValue();
        eventBuilder.detail("access_token_expiration_time", Long.toString(longValue));
        eventBuilder.detail("age_of_refresh_token", Long.toString(longValue2));
    }

    private void validateTokenReuseForRefresh(KeycloakSession keycloakSession, RealmModel realmModel, RefreshToken refreshToken, TokenValidation tokenValidation) throws OAuthErrorException {
        if (realmModel.isRevokeRefreshToken()) {
            AuthenticatedClientSessionModel clientSession = tokenValidation.clientSessionCtx.getClientSession();
            try {
                validateTokenReuse(keycloakSession, realmModel, refreshToken, clientSession, true);
                String reuseIdKey = getReuseIdKey(refreshToken);
                clientSession.setRefreshTokenUseCount(reuseIdKey, clientSession.getRefreshTokenUseCount(reuseIdKey) + 1);
            } catch (OAuthErrorException e) {
                if (logger.isDebugEnabled()) {
                    logger.debugf("Failed validation of refresh token %s due it was used before. Realm: %s, client: %s, user: %s, user session: %s. Will detach client session from user session", new Object[]{refreshToken.getId(), realmModel.getName(), clientSession.getClient().getClientId(), clientSession.getUserSession().getUser().getUsername(), clientSession.getUserSession().getId()});
                }
                clientSession.detachFromUserSession();
                throw e;
            }
        }
    }

    public void validateTokenReuse(KeycloakSession keycloakSession, RealmModel realmModel, AccessToken accessToken, AuthenticatedClientSessionModel authenticatedClientSessionModel, boolean z) throws OAuthErrorException {
        int startupTime = keycloakSession.getProvider(UserSessionProvider.class).getStartupTime(realmModel);
        String reuseIdKey = getReuseIdKey(accessToken);
        String refreshToken = authenticatedClientSessionModel.getRefreshToken(reuseIdKey);
        int refreshTokenLastRefresh = authenticatedClientSessionModel.getRefreshTokenLastRefresh(reuseIdKey);
        if (refreshToken != null && !accessToken.getId().equals(refreshToken) && accessToken.getIat().longValue() < refreshTokenLastRefresh && startupTime <= refreshTokenLastRefresh) {
            throw new OAuthErrorException("invalid_grant", "Stale token");
        }
        if (!accessToken.getId().equals(refreshToken)) {
            if (!z) {
                return;
            }
            authenticatedClientSessionModel.setRefreshToken(reuseIdKey, accessToken.getId());
            authenticatedClientSessionModel.setRefreshTokenUseCount(reuseIdKey, 0);
        }
        if (authenticatedClientSessionModel.getRefreshTokenUseCount(reuseIdKey) > realmModel.getRefreshTokenMaxReuse()) {
            throw new OAuthErrorException("invalid_grant", "Maximum allowed refresh token reuse exceeded", "Maximum allowed refresh token reuse exceeded");
        }
    }

    public RefreshToken verifyRefreshToken(KeycloakSession keycloakSession, RealmModel realmModel, ClientModel clientModel, HttpRequest httpRequest, String str, boolean z) throws OAuthErrorException {
        try {
            RefreshToken refreshToken = toRefreshToken(keycloakSession, str);
            if (!"Refresh".equals(refreshToken.getType()) && !"Offline".equals(refreshToken.getType())) {
                throw new OAuthErrorException("invalid_grant", "Invalid refresh token");
            }
            TokenVerifier withChecks = TokenVerifier.createWithoutSignature(refreshToken).withChecks(new TokenVerifier.Predicate[]{new TokenVerifier.RealmUrlCheck(Urls.realmIssuer(keycloakSession.getContext().getUri().getBaseUri(), realmModel.getName()))});
            if (z) {
                withChecks.withChecks(new TokenVerifier.Predicate[]{NotBeforeCheck.forModel(realmModel), TokenVerifier.IS_ACTIVE});
            }
            try {
                withChecks.verify();
                if (!clientModel.getClientId().equals(refreshToken.getIssuedFor())) {
                    throw new OAuthErrorException("invalid_grant", "Invalid refresh token. Token client and authorized client don't match");
                }
                if (OIDCAdvancedConfigWrapper.fromClientModel(clientModel).isUseMtlsHokToken() && !MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(refreshToken, httpRequest, keycloakSession)) {
                    throw new OAuthErrorException("unauthorized_client", MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC);
                }
                if (Profile.isFeatureEnabled(Profile.Feature.DPOP) && DPoPUtil.isDPoPToken(refreshToken)) {
                    DPoP dPoP = (DPoP) keycloakSession.getAttribute(DPoPUtil.DPOP_SESSION_ATTRIBUTE);
                    if (dPoP == null) {
                        throw new OAuthErrorException("invalid_grant", "DPoP proof is missing");
                    }
                    try {
                        DPoPUtil.validateBinding(refreshToken, dPoP);
                    } catch (VerificationException e) {
                        throw new OAuthErrorException("invalid_grant", e.getMessage());
                    }
                }
                return refreshToken;
            } catch (VerificationException e2) {
                throw new OAuthErrorException("invalid_grant", e2.getMessage());
            }
        } catch (JWSInputException e3) {
            throw new OAuthErrorException("invalid_grant", "Invalid refresh token", e3);
        }
    }

    public RefreshToken toRefreshToken(KeycloakSession keycloakSession, String str) throws JWSInputException, OAuthErrorException {
        RefreshToken decode = keycloakSession.tokens().decode(str, RefreshToken.class);
        if (decode == null) {
            throw new OAuthErrorException("invalid_grant", "Invalid refresh token");
        }
        return decode;
    }

    public IDToken verifyIDToken(KeycloakSession keycloakSession, RealmModel realmModel, String str) throws OAuthErrorException {
        IDToken decode = keycloakSession.tokens().decode(str, IDToken.class);
        try {
            TokenVerifier.createWithoutSignature(decode).withChecks(new TokenVerifier.Predicate[]{NotBeforeCheck.forModel(realmModel), TokenVerifier.IS_ACTIVE}).verify();
            return decode;
        } catch (VerificationException e) {
            throw new OAuthErrorException("invalid_grant", e.getMessage());
        }
    }

    public IDToken verifyIDTokenSignature(KeycloakSession keycloakSession, String str) throws OAuthErrorException {
        IDToken decode = keycloakSession.tokens().decode(str, IDToken.class);
        if (decode == null) {
            throw new OAuthErrorException("invalid_grant", "Invalid IDToken");
        }
        return decode;
    }

    public AccessToken createClientAccessToken(KeycloakSession keycloakSession, RealmModel realmModel, ClientModel clientModel, UserModel userModel, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        return transformAccessToken(keycloakSession, initToken(keycloakSession, realmModel, clientModel, userModel, userSessionModel, clientSessionContext, keycloakSession.getContext().getUri()), userSessionModel, clientSessionContext);
    }

    public static ClientSessionContext attachAuthenticationSession(KeycloakSession keycloakSession, UserSessionModel userSessionModel, AuthenticationSessionModel authenticationSessionModel) {
        return attachAuthenticationSession(keycloakSession, userSessionModel, authenticationSessionModel, false);
    }

    public static ClientSessionContext attachAuthenticationSession(KeycloakSession keycloakSession, UserSessionModel userSessionModel, AuthenticationSessionModel authenticationSessionModel, boolean z) {
        Set set;
        ClientModel client = authenticationSessionModel.getClient();
        AuthenticatedClientSessionModel authenticatedClientSessionByClient = userSessionModel.getAuthenticatedClientSessionByClient(client.getId());
        RealmModel realm = userSessionModel.getRealm();
        if (authenticatedClientSessionByClient != null && !AuthenticationManager.isClientSessionValid(realm, client, userSessionModel, authenticatedClientSessionByClient)) {
            authenticatedClientSessionByClient.restartClientSession();
        } else if (authenticatedClientSessionByClient == null) {
            if (z && userSessionModel.getPersistenceState() != UserSessionModel.SessionPersistenceState.TRANSIENT) {
                userSessionModel = UserSessionUtil.createTransientUserSession(keycloakSession, userSessionModel);
            }
            authenticatedClientSessionByClient = keycloakSession.sessions().createClientSession(realm, client, userSessionModel);
        }
        authenticatedClientSessionByClient.setRedirectUri(authenticationSessionModel.getRedirectUri());
        authenticatedClientSessionByClient.setProtocol(authenticationSessionModel.getProtocol());
        String clientNote = authenticationSessionModel.getClientNote("scope");
        if (Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES)) {
            keycloakSession.getContext().setClient(client);
            set = (Set) AuthorizationContextUtil.getClientScopesStreamFromAuthorizationRequestContextWithClient(keycloakSession, clientNote).collect(Collectors.toSet());
        } else {
            set = (Set) getRequestedClientScopes(keycloakSession, clientNote, client, userSessionModel.getUser()).collect(Collectors.toSet());
        }
        for (Map.Entry entry : authenticationSessionModel.getClientNotes().entrySet()) {
            authenticatedClientSessionByClient.setNote((String) entry.getKey(), (String) entry.getValue());
        }
        for (Map.Entry entry2 : authenticationSessionModel.getUserSessionNotes().entrySet()) {
            userSessionModel.setNote((String) entry2.getKey(), (String) entry2.getValue());
        }
        authenticatedClientSessionByClient.setNote("level-of-authentication", String.valueOf(new AcrStore(keycloakSession, authenticationSessionModel).getLevelOfAuthenticationFromCurrentAuthentication()));
        authenticatedClientSessionByClient.setTimestamp(userSessionModel.getLastSessionRefresh());
        new AuthenticationSessionManager(keycloakSession).updateAuthenticationSessionAfterSuccessfulAuthentication(realm, authenticationSessionModel);
        return DefaultClientSessionContext.fromClientSessionAndClientScopes(authenticatedClientSessionByClient, set, keycloakSession);
    }

    public static void dettachClientSession(AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        if (authenticatedClientSessionModel.getUserSession() == null) {
            return;
        }
        authenticatedClientSessionModel.detachFromUserSession();
    }

    public static Set<RoleModel> getAccess(UserModel userModel, ClientModel clientModel, Stream<ClientScopeModel> stream) {
        Set<RoleModel> deepUserRoleMappings = RoleUtils.getDeepUserRoleMappings(userModel);
        if (!clientModel.isFullScopeAllowed()) {
            deepUserRoleMappings.retainAll((Collection) RoleUtils.expandCompositeRolesStream(Stream.concat(clientModel.getRolesStream(), !logger.isTraceEnabled() ? stream.flatMap(clientScopeModel -> {
                return clientScopeModel.getScopeMappingsStream();
            }) : stream.flatMap(clientScopeModel2 -> {
                logger.tracef("Adding client scope role mappings of client scope '%s' to client '%s'", clientScopeModel2.getName(), clientModel.getClientId());
                return clientScopeModel2.getScopeMappingsStream();
            }))).collect(Collectors.toSet()));
            return deepUserRoleMappings;
        }
        if (logger.isTraceEnabled()) {
            logger.tracef("Using full scope for client %s", clientModel.getClientId());
        }
        return deepUserRoleMappings;
    }

    public static Stream<ClientScopeModel> getRequestedClientScopes(KeycloakSession keycloakSession, String str, ClientModel clientModel, UserModel userModel) {
        if (clientModel == null) {
            return Stream.of((Object[]) new ClientScopeModel[0]);
        }
        Stream<ClientScopeModel> distinct = Stream.concat(clientModel.getClientScopes(true).values().stream(), Stream.of(clientModel)).distinct();
        if (str == null) {
            return distinct;
        }
        Map clientScopes = clientModel.getClientScopes(false);
        return Stream.concat(parseScopeParameter(str).map(str2 -> {
            ClientScopeModel clientScopeModel = (ClientScopeModel) clientScopes.get(str2);
            return clientScopeModel != null ? clientScopeModel : tryResolveDynamicClientScope(keycloakSession, str, userModel, str2);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }), distinct).distinct();
    }

    private static ClientScopeModel tryResolveDynamicClientScope(KeycloakSession keycloakSession, String str, UserModel userModel, String str2) {
        OrganizationScope valueOfScope;
        if (!Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION) || (valueOfScope = OrganizationScope.valueOfScope(keycloakSession, str)) == null) {
            return null;
        }
        if (userModel == null || !valueOfScope.resolveOrganizations(userModel, str, keycloakSession).findAny().isEmpty()) {
            return valueOfScope.toClientScope(str2, userModel, keycloakSession);
        }
        return null;
    }

    public static boolean isValidScope(KeycloakSession keycloakSession, String str, AuthorizationRequestContext authorizationRequestContext, ClientModel clientModel, UserModel userModel) {
        Set set;
        if (str == null) {
            return true;
        }
        Collection<String> collection = (Collection) parseScopeParameter(str).collect(Collectors.toSet());
        if (Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION) && collection.stream().filter(str2 -> {
            return str2.startsWith("organization");
        }).count() > 1) {
            return false;
        }
        if (TokenUtil.isOIDCRequest(str)) {
            collection.remove(OIDCIdentityProvider.SCOPE_OPENID);
        }
        if (collection.isEmpty()) {
            return true;
        }
        if (authorizationRequestContext == null) {
            Stream<ClientScopeModel> requestedClientScopes = getRequestedClientScopes(keycloakSession, str, clientModel, userModel);
            Class<ClientModel> cls = ClientModel.class;
            Objects.requireNonNull(ClientModel.class);
            Predicate predicate = (v1) -> {
                return r1.isInstance(v1);
            };
            set = (Set) requestedClientScopes.filter(predicate.negate()).map((v0) -> {
                return v0.getName();
            }).collect(Collectors.toSet());
        } else {
            set = (Set) ((List) Optional.ofNullable(authorizationRequestContext.getAuthorizationDetailEntries()).orElse(List.of())).stream().map((v0) -> {
                return v0.getAuthorizationDetails();
            }).map((v0) -> {
                return v0.getScopeNameFromCustomData();
            }).collect(Collectors.toSet());
        }
        if (logger.isTraceEnabled()) {
            logger.tracef("Scopes to validate requested scopes against: %1s", String.join(" ", set));
            logger.tracef("Requested scopes: %1s", String.join(" ", collection));
        }
        if (set.isEmpty()) {
            return false;
        }
        for (String str3 : collection) {
            if (!set.contains(str3) && clientModel.getDynamicClientScope(str3) == null) {
                return false;
            }
        }
        return true;
    }

    public static boolean isValidScope(KeycloakSession keycloakSession, String str, ClientModel clientModel, UserModel userModel) {
        return isValidScope(keycloakSession, str, null, clientModel, userModel);
    }

    public static Stream<String> parseScopeParameter(String str) {
        return Arrays.stream(str.split(" ")).distinct();
    }

    public static boolean verifyConsentStillAvailable(KeycloakSession keycloakSession, UserModel userModel, ClientModel clientModel, Stream<ClientScopeModel> stream) {
        if (!clientModel.isConsentRequired()) {
            return true;
        }
        UserConsentModel consentByClient = UserConsentManager.getConsentByClient(keycloakSession, clientModel.getRealm(), userModel, clientModel.getId());
        return stream.filter((v0) -> {
            return v0.isDisplayOnConsentScreen();
        }).noneMatch(clientScopeModel -> {
            if (consentByClient != null && consentByClient.getGrantedClientScopes().contains(clientScopeModel)) {
                return false;
            }
            logger.debugf("Client '%s' no longer has requested consent from user '%s' for client scope '%s'", clientModel.getClientId(), userModel.getUsername(), clientScopeModel.getName());
            return true;
        });
    }

    public AccessToken transformAccessToken(final KeycloakSession keycloakSession, AccessToken accessToken, final UserSessionModel userSessionModel, final ClientSessionContext clientSessionContext) {
        AccessToken accessToken2 = (AccessToken) ProtocolMapperUtils.getSortedProtocolMappers(keycloakSession, clientSessionContext, entry -> {
            return entry.getValue() instanceof OIDCAccessTokenMapper;
        }).collect(new TokenCollector<AccessToken>(accessToken) { // from class: org.keycloak.protocol.oidc.TokenManager.1
            /* renamed from: applyMapper, reason: avoid collision after fix types in other method */
            protected AccessToken applyMapper2(AccessToken accessToken3, Map.Entry<ProtocolMapperModel, ProtocolMapper> entry2) {
                return entry2.getValue().transformAccessToken(accessToken3, entry2.getKey(), keycloakSession, userSessionModel, clientSessionContext);
            }

            @Override // org.keycloak.protocol.oidc.TokenManager.TokenCollector
            protected /* bridge */ /* synthetic */ AccessToken applyMapper(AccessToken accessToken3, Map.Entry entry2) {
                return applyMapper2(accessToken3, (Map.Entry<ProtocolMapperModel, ProtocolMapper>) entry2);
            }
        });
        ClientModel[] clientModelArr = (ClientModel[]) clientSessionContext.getAttribute("req-aud-clients", ClientModel[].class);
        if (clientModelArr != null) {
            restrictRequestedAudience(accessToken2, (Set) Arrays.stream(clientModelArr).map((v0) -> {
                return v0.getClientId();
            }).collect(Collectors.toSet()));
        }
        return accessToken2;
    }

    public AccessTokenResponse transformAccessTokenResponse(final KeycloakSession keycloakSession, AccessTokenResponse accessTokenResponse, final UserSessionModel userSessionModel, final ClientSessionContext clientSessionContext) {
        return (AccessTokenResponse) ProtocolMapperUtils.getSortedProtocolMappers(keycloakSession, clientSessionContext, entry -> {
            return entry.getValue() instanceof OIDCAccessTokenResponseMapper;
        }).collect(new TokenCollector<AccessTokenResponse>(accessTokenResponse) { // from class: org.keycloak.protocol.oidc.TokenManager.2
            /* renamed from: applyMapper, reason: avoid collision after fix types in other method */
            protected AccessTokenResponse applyMapper2(AccessTokenResponse accessTokenResponse2, Map.Entry<ProtocolMapperModel, ProtocolMapper> entry2) {
                return entry2.getValue().transformAccessTokenResponse(accessTokenResponse2, entry2.getKey(), keycloakSession, userSessionModel, clientSessionContext);
            }

            @Override // org.keycloak.protocol.oidc.TokenManager.TokenCollector
            protected /* bridge */ /* synthetic */ AccessTokenResponse applyMapper(AccessTokenResponse accessTokenResponse2, Map.Entry entry2) {
                return applyMapper2(accessTokenResponse2, (Map.Entry<ProtocolMapperModel, ProtocolMapper>) entry2);
            }
        });
    }

    public AccessToken transformUserInfoAccessToken(final KeycloakSession keycloakSession, AccessToken accessToken, final UserSessionModel userSessionModel, final ClientSessionContext clientSessionContext) {
        return (AccessToken) ProtocolMapperUtils.getSortedProtocolMappers(keycloakSession, clientSessionContext, entry -> {
            return entry.getValue() instanceof UserInfoTokenMapper;
        }).collect(new TokenCollector<AccessToken>(accessToken) { // from class: org.keycloak.protocol.oidc.TokenManager.3
            /* renamed from: applyMapper, reason: avoid collision after fix types in other method */
            protected AccessToken applyMapper2(AccessToken accessToken2, Map.Entry<ProtocolMapperModel, ProtocolMapper> entry2) {
                return entry2.getValue().transformUserInfoToken(accessToken2, entry2.getKey(), keycloakSession, userSessionModel, clientSessionContext);
            }

            @Override // org.keycloak.protocol.oidc.TokenManager.TokenCollector
            protected /* bridge */ /* synthetic */ AccessToken applyMapper(AccessToken accessToken2, Map.Entry entry2) {
                return applyMapper2(accessToken2, (Map.Entry<ProtocolMapperModel, ProtocolMapper>) entry2);
            }
        });
    }

    public AccessToken transformIntrospectionAccessToken(final KeycloakSession keycloakSession, AccessToken accessToken, final UserSessionModel userSessionModel, final ClientSessionContext clientSessionContext) {
        return (AccessToken) ProtocolMapperUtils.getSortedProtocolMappers(keycloakSession, clientSessionContext, entry -> {
            return entry.getValue() instanceof TokenIntrospectionTokenMapper;
        }).collect(new TokenCollector<AccessToken>(accessToken) { // from class: org.keycloak.protocol.oidc.TokenManager.4
            /* renamed from: applyMapper, reason: avoid collision after fix types in other method */
            protected AccessToken applyMapper2(AccessToken accessToken2, Map.Entry<ProtocolMapperModel, ProtocolMapper> entry2) {
                return entry2.getValue().transformIntrospectionToken(accessToken2, entry2.getKey(), keycloakSession, userSessionModel, clientSessionContext);
            }

            @Override // org.keycloak.protocol.oidc.TokenManager.TokenCollector
            protected /* bridge */ /* synthetic */ AccessToken applyMapper(AccessToken accessToken2, Map.Entry entry2) {
                return applyMapper2(accessToken2, (Map.Entry<ProtocolMapperModel, ProtocolMapper>) entry2);
            }
        });
    }

    public Map<String, Object> generateUserInfoClaims(AccessToken accessToken, UserModel userModel) {
        HashMap hashMap = new HashMap();
        hashMap.put("sub", accessToken.getSubject() == null ? userModel.getId() : accessToken.getSubject());
        if (accessToken.getIssuer() != null) {
            hashMap.put("iss", accessToken.getIssuer());
        }
        if (accessToken.getAudience() != null) {
            hashMap.put("aud", accessToken.getAudience());
        }
        if (accessToken.getName() != null) {
            hashMap.put("name", accessToken.getName());
        }
        if (accessToken.getGivenName() != null) {
            hashMap.put("given_name", accessToken.getGivenName());
        }
        if (accessToken.getFamilyName() != null) {
            hashMap.put("family_name", accessToken.getFamilyName());
        }
        if (accessToken.getMiddleName() != null) {
            hashMap.put("middle_name", accessToken.getMiddleName());
        }
        if (accessToken.getNickName() != null) {
            hashMap.put(OIDCLoginProtocolFactory.NICKNAME, accessToken.getNickName());
        }
        if (accessToken.getPreferredUsername() != null) {
            hashMap.put("preferred_username", accessToken.getPreferredUsername());
        }
        if (accessToken.getProfile() != null) {
            hashMap.put(OIDCLoginProtocolFactory.PROFILE_CLAIM, accessToken.getProfile());
        }
        if (accessToken.getPicture() != null) {
            hashMap.put(OIDCLoginProtocolFactory.PICTURE, accessToken.getPicture());
        }
        if (accessToken.getWebsite() != null) {
            hashMap.put(OIDCLoginProtocolFactory.WEBSITE, accessToken.getWebsite());
        }
        if (accessToken.getEmail() != null) {
            hashMap.put("email", accessToken.getEmail());
        }
        if (accessToken.getEmailVerified() != null) {
            hashMap.put("email_verified", accessToken.getEmailVerified());
        }
        if (accessToken.getGender() != null) {
            hashMap.put(OIDCLoginProtocolFactory.GENDER, accessToken.getGender());
        }
        if (accessToken.getBirthdate() != null) {
            hashMap.put(OIDCLoginProtocolFactory.BIRTHDATE, accessToken.getBirthdate());
        }
        if (accessToken.getZoneinfo() != null) {
            hashMap.put(OIDCLoginProtocolFactory.ZONEINFO, accessToken.getZoneinfo());
        }
        if (accessToken.getLocale() != null) {
            hashMap.put(OIDCLoginProtocolFactory.LOCALE, accessToken.getLocale());
        }
        if (accessToken.getPhoneNumber() != null) {
            hashMap.put("phone_number", accessToken.getPhoneNumber());
        }
        if (accessToken.getPhoneNumberVerified() != null) {
            hashMap.put("phone_number_verified", accessToken.getPhoneNumberVerified());
        }
        if (accessToken.getAddress() != null) {
            hashMap.put(OIDCLoginProtocolFactory.ADDRESS, accessToken.getAddress());
        }
        if (accessToken.getUpdatedAt() != null) {
            hashMap.put("updated_at", accessToken.getUpdatedAt());
        }
        if (accessToken.getClaimsLocales() != null) {
            hashMap.put("claims_locales", accessToken.getClaimsLocales());
        }
        hashMap.putAll(accessToken.getOtherClaims());
        if (accessToken.getRealmAccess() != null) {
            HashMap hashMap2 = new HashMap();
            hashMap2.put("roles", accessToken.getRealmAccess().getRoles());
            hashMap.put("realm_access", hashMap2);
        }
        if (accessToken.getResourceAccess() != null && !accessToken.getResourceAccess().isEmpty()) {
            HashMap hashMap3 = new HashMap();
            for (Map.Entry entry : accessToken.getResourceAccess().entrySet()) {
                HashMap hashMap4 = new HashMap();
                hashMap4.put("roles", ((AccessToken.Access) entry.getValue()).getRoles());
                hashMap3.put((String) entry.getKey(), hashMap4);
            }
            hashMap.put("resource_access", hashMap3);
        }
        return hashMap;
    }

    public IDToken transformIDToken(final KeycloakSession keycloakSession, IDToken iDToken, final UserSessionModel userSessionModel, final ClientSessionContext clientSessionContext) {
        return (IDToken) ProtocolMapperUtils.getSortedProtocolMappers(keycloakSession, clientSessionContext, entry -> {
            return entry.getValue() instanceof OIDCIDTokenMapper;
        }).collect(new TokenCollector<IDToken>(iDToken) { // from class: org.keycloak.protocol.oidc.TokenManager.5
            /* renamed from: applyMapper, reason: avoid collision after fix types in other method */
            protected IDToken applyMapper2(IDToken iDToken2, Map.Entry<ProtocolMapperModel, ProtocolMapper> entry2) {
                return entry2.getValue().transformIDToken(iDToken2, entry2.getKey(), keycloakSession, userSessionModel, clientSessionContext);
            }

            @Override // org.keycloak.protocol.oidc.TokenManager.TokenCollector
            protected /* bridge */ /* synthetic */ IDToken applyMapper(IDToken iDToken2, Map.Entry entry2) {
                return applyMapper2(iDToken2, (Map.Entry<ProtocolMapperModel, ProtocolMapper>) entry2);
            }
        });
    }

    protected AccessToken initToken(KeycloakSession keycloakSession, RealmModel realmModel, ClientModel clientModel, UserModel userModel, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext, UriInfo uriInfo) {
        AccessToken accessToken = new AccessToken();
        TokenContextEncoderProvider tokenContextEncoderProvider = (TokenContextEncoderProvider) keycloakSession.getProvider(TokenContextEncoderProvider.class);
        accessToken.id(tokenContextEncoderProvider.encodeTokenId(tokenContextEncoderProvider.getTokenContextFromClientSessionContext(clientSessionContext, KeycloakModelUtils.generateId())));
        accessToken.type(formatTokenType(clientModel, accessToken));
        if (UserSessionModel.SessionPersistenceState.TRANSIENT.equals(userSessionModel.getPersistenceState())) {
            accessToken.subject(userModel.getId());
        }
        accessToken.issuedNow();
        accessToken.issuedFor(clientModel.getClientId());
        AuthenticatedClientSessionModel clientSession = clientSessionContext.getClientSession();
        accessToken.issuer(clientSession.getNote("iss"));
        accessToken.setScope(clientSessionContext.getScopeString());
        if (!Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION)) {
            accessToken.setAcr(AuthenticationManager.isSSOAuthentication(clientSession) ? "0" : "1");
        }
        accessToken.setSessionId(userSessionModel.getId());
        ClientScopeModel clientScopeByName = KeycloakModelUtils.getClientScopeByName(realmModel, "offline_access");
        accessToken.exp(getTokenExpiration(realmModel, clientModel, userSessionModel, clientSession, clientScopeByName == null ? false : clientSessionContext.getClientScopeIds().contains(clientScopeByName.getId())));
        Span currentSpan = keycloakSession.getProvider(TracingProvider.class).getCurrentSpan();
        if (currentSpan.isRecording()) {
            currentSpan.setAttribute(TracingAttributes.TOKEN_ISSUER, accessToken.getIssuer());
            currentSpan.setAttribute(TracingAttributes.TOKEN_SID, accessToken.getSessionId());
            currentSpan.setAttribute(TracingAttributes.TOKEN_ID, accessToken.getId());
        }
        return accessToken;
    }

    private Long getTokenExpiration(RealmModel realmModel, ClientModel clientModel, UserSessionModel userSessionModel, AuthenticatedClientSessionModel authenticatedClientSessionModel, boolean z) {
        int accessTokenLifespan;
        long currentTimeMillis;
        boolean z2 = false;
        String note = authenticatedClientSessionModel.getNote("response_type");
        if (note != null) {
            z2 = OIDCResponseType.parse(note).isImplicitFlow();
        }
        if (z2) {
            accessTokenLifespan = realmModel.getAccessTokenLifespanForImplicitFlow();
        } else {
            String attribute = clientModel.getAttribute("access.token.lifespan");
            accessTokenLifespan = (attribute == null || attribute.trim().isEmpty()) ? realmModel.getAccessTokenLifespan() : Integer.parseInt(attribute);
        }
        if (accessTokenLifespan == -1) {
            currentTimeMillis = TimeUnit.SECONDS.toMillis(userSessionModel.getStarted() + ((!userSessionModel.isRememberMe() || realmModel.getSsoSessionMaxLifespanRememberMe() <= 0) ? realmModel.getSsoSessionMaxLifespan() : realmModel.getSsoSessionMaxLifespanRememberMe()));
        } else {
            currentTimeMillis = Time.currentTimeMillis() + TimeUnit.SECONDS.toMillis(accessTokenLifespan);
        }
        long calculateClientSessionMaxLifespanTimestamp = SessionExpirationUtils.calculateClientSessionMaxLifespanTimestamp(userSessionModel.isOffline() || z, userSessionModel.isRememberMe(), TimeUnit.SECONDS.toMillis(authenticatedClientSessionModel.getStarted()), TimeUnit.SECONDS.toMillis(userSessionModel.getStarted()), realmModel, clientModel);
        return Long.valueOf(TimeUnit.MILLISECONDS.toSeconds(calculateClientSessionMaxLifespanTimestamp > 0 ? Math.min(currentTimeMillis, calculateClientSessionMaxLifespanTimestamp) : currentTimeMillis));
    }

    public AccessTokenResponseBuilder responseBuilder(RealmModel realmModel, ClientModel clientModel, EventBuilder eventBuilder, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        return new AccessTokenResponseBuilder(realmModel, clientModel, eventBuilder, keycloakSession, userSessionModel, clientSessionContext);
    }

    private String formatTokenType(ClientModel clientModel, AccessToken accessToken) {
        String str = (String) Optional.ofNullable(accessToken).map((v0) -> {
            return v0.getType();
        }).orElse("Bearer");
        return OIDCAdvancedConfigWrapper.fromClientModel(clientModel).isUseLowerCaseInTokenResponse() ? str.toLowerCase() : str;
    }

    private AccessToken restrictRequestedAudience(AccessToken accessToken, Set<String> set) {
        if (accessToken.getAudience() != null) {
            HashSet hashSet = new HashSet(set);
            hashSet.retainAll(Set.of((Object[]) accessToken.getAudience()));
            accessToken.audience((String[]) hashSet.toArray(i -> {
                return new String[i];
            }));
            accessToken.getResourceAccess().keySet().removeIf(str -> {
                return !hashSet.contains(str);
            });
        }
        return accessToken;
    }

    public LogoutTokenValidationContext verifyLogoutToken(KeycloakSession keycloakSession, String str) {
        Optional<LogoutToken> logoutToken = toLogoutToken(str);
        if (logoutToken.isEmpty()) {
            return LogoutTokenValidationCode.DECODE_TOKEN_FAILED.toCtx();
        }
        LogoutToken logoutToken2 = logoutToken.get();
        List<OIDCIdentityProvider> list = getOIDCIdentityProviders(logoutToken2, keycloakSession).toList();
        if (list.isEmpty()) {
            return LogoutTokenValidationCode.COULD_NOT_FIND_IDP.toCtx();
        }
        List<OIDCIdentityProvider> list2 = validateLogoutTokenAgainstIdpProvider(list.stream(), str).toList();
        return list2.isEmpty() ? LogoutTokenValidationCode.TOKEN_VERIFICATION_WITH_IDP_FAILED.toCtx() : (logoutToken2.getSubject() == null && logoutToken2.getSid() == null) ? LogoutTokenValidationCode.MISSING_SID_OR_SUBJECT.toCtx() : !checkLogoutTokenForEvents(logoutToken2) ? LogoutTokenValidationCode.BACKCHANNEL_LOGOUT_EVENT_MISSING.toCtx() : logoutToken2.getOtherClaims().get(OIDCLoginProtocol.NONCE_PARAM) != null ? LogoutTokenValidationCode.NONCE_CLAIM_IN_TOKEN.toCtx() : logoutToken2.getId() == null ? LogoutTokenValidationCode.LOGOUT_TOKEN_ID_MISSING.toCtx() : logoutToken2.getIat() == null ? LogoutTokenValidationCode.MISSING_IAT_CLAIM.toCtx() : new LogoutTokenValidationContext(LogoutTokenValidationCode.VALIDATION_SUCCESS, logoutToken2, list2);
    }

    public Optional<LogoutToken> toLogoutToken(String str) {
        try {
            return Optional.of((LogoutToken) new JWSInput(str).readJsonContent(LogoutToken.class));
        } catch (JWSInputException e) {
            return Optional.empty();
        }
    }

    public Stream<OIDCIdentityProvider> validateLogoutTokenAgainstIdpProvider(Stream<OIDCIdentityProvider> stream, String str) {
        return stream.filter(oIDCIdentityProvider -> {
            try {
                oIDCIdentityProvider.validateToken(str);
                return true;
            } catch (IdentityBrokerException e) {
                logger.debugf("LogoutToken verification with identity provider failed", e.getMessage());
                return false;
            }
        });
    }

    private Stream<OIDCIdentityProvider> getOIDCIdentityProviders(LogoutToken logoutToken, KeycloakSession keycloakSession) {
        try {
            return keycloakSession.identityProviders().getAllStream(Map.of(OIDCIdentityProviderConfig.ISSUER, logoutToken.getIssuer()), -1, -1).map(identityProviderModel -> {
                OIDCIdentityProvider identityProvider = IdentityBrokerService.getIdentityProvider(keycloakSession, identityProviderModel.getAlias());
                if (identityProvider instanceof OIDCIdentityProvider) {
                    return identityProvider;
                }
                return null;
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            });
        } catch (IdentityBrokerException e) {
            logger.warnf("LogoutToken verification with identity provider failed", e.getMessage());
            return Stream.empty();
        }
    }

    private boolean checkLogoutTokenForEvents(LogoutToken logoutToken) {
        Iterator it = logoutToken.getEvents().keySet().iterator();
        while (it.hasNext()) {
            if ("http://schemas.openid.net/event/backchannel-logout".equals((String) it.next())) {
                return true;
            }
        }
        return false;
    }

    private String getReuseIdKey(AccessToken accessToken) {
        return (String) Optional.ofNullable(accessToken.getOtherClaims().get("reuse_id")).map(String::valueOf).orElse("");
    }
}
