package io.confluent.oidc.services;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings;
import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.kafka.schemaregistry.utils.QualifiedSubject;
import io.confluent.oidc.config.OidcConfig;
import io.confluent.oidc.encryption.EncryptionHandler;
import io.confluent.oidc.entities.OidcAuthResponse;
import io.confluent.oidc.exceptions.AuthorizationResponseException;
import io.confluent.oidc.exceptions.InvalidCodeException;
import io.confluent.oidc.exceptions.InvalidStateException;
import io.confluent.oidc.exceptions.TokenResponseException;
import io.confluent.security.auth.metadata.AuthStore;
import io.confluent.security.auth.store.data.RefreshTokenInfoKey;
import io.confluent.security.authentication.http.HttpClient;
import io.confluent.security.authentication.oidc.RefreshTokenInfo;
import io.confluent.security.authentication.oidc.TokenResponse;
import io.confluent.security.trustservice.store.TrustCache;
import io.confluent.security.trustservice.store.TrustWriter;
import io.confluent.tokenapi.entities.RefreshTokenRequest;
import io.confluent.tokenapi.exceptions.InvalidTokenException;
import io.confluent.tokenapi.services.TokenService;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.time.Duration;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.CompletionStage;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.apache.kafka.common.Configurable;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.eclipse.jetty.http.DateGenerator;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/oidc/services/OidcTokenService.class */
public class OidcTokenService implements Configurable {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) OidcTokenService.class);
    public static final String TOKEN_MAX_EXP_CLAIM_NAME = "mex";
    public static final String TOKEN_SESSION_ID = "ssid";
    private final TokenService tokenService;
    private final TrustWriter trustWriter;
    private final TrustCache trustCache;
    private final EncryptionHandler encryptionHandler;
    private HttpClient httpClient;
    private String clientIdIdp;
    private String clientSecretIdp;
    private String subClaimName;
    private String groupsClaimName;
    private String scopeForGroupsClaim;
    private String idpIssuer;
    private boolean idpRefreshTokenEnabled;
    private URI jwksUriIdp;
    private URI authorizeEndpointBaseUri;
    private URI tokenEndpointBaseUri;
    private long sessionTokenLifetimeMs;
    private long sessionTokenMaxExtendabilityMs;
    private JwtConsumer jwtConsumer;

    public OidcTokenService(TokenService tokenService, AuthStore authStore, EncryptionHandler encryptionHandler) {
        this.tokenService = tokenService;
        this.trustWriter = (TrustWriter) authStore.writer();
        this.trustCache = authStore.trustCache();
        this.encryptionHandler = encryptionHandler;
    }

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        OidcConfig oidcConfig = new OidcConfig(map);
        this.sessionTokenLifetimeMs = oidcConfig.getLong(OidcConfig.SESSION_TOKEN_LIFETIME_MS).longValue();
        this.sessionTokenMaxExtendabilityMs = oidcConfig.getLong(OidcConfig.SESSION_TOKEN_MAX_TIMEOUT_MS).longValue();
        this.subClaimName = oidcConfig.getString(OidcConfig.OIDC_SUB_CLAIM_NAME);
        this.groupsClaimName = oidcConfig.getString(OidcConfig.OIDC_GROUPS_CLAIM_NAME);
        this.scopeForGroupsClaim = oidcConfig.getString(OidcConfig.OIDC_GROUPS_CLAIM_SCOPE);
        this.clientIdIdp = oidcConfig.getString(OidcConfig.OIDC_CLIENT_ID);
        this.clientSecretIdp = oidcConfig.getPassword(OidcConfig.OIDC_CLIENT_SECRET).value();
        this.idpIssuer = oidcConfig.getString(OidcConfig.OIDC_IDP_ISSUER);
        this.idpRefreshTokenEnabled = oidcConfig.getBoolean(OidcConfig.OIDC_IDP_REFRESH_TOKEN_ENABLED).booleanValue();
        this.jwksUriIdp = getUriFromConfig(oidcConfig, OidcConfig.OIDC_JWKS_LOCATION);
        this.authorizeEndpointBaseUri = getUriFromConfig(oidcConfig, OidcConfig.OIDC_AUTHORIZE_ENDPOINT_BASE_URI);
        this.tokenEndpointBaseUri = getUriFromConfig(oidcConfig, OidcConfig.OIDC_TOKEN_ENDPOINT_BASE_URI);
        this.httpClient = HttpClient.builder().build();
        this.jwtConsumer = createJwtConsumer();
    }

    private URI getUriFromConfig(OidcConfig oidcConfig, String str) {
        try {
            return new URI(oidcConfig.getString(str));
        } catch (URISyntaxException e) {
            throw new ConfigException(String.format("Invalid %s.", str), e);
        }
    }

    private JwtConsumer createJwtConsumer() {
        return new JwtConsumerBuilder().setExpectedIssuer(true, this.idpIssuer).setJwsAlgorithmConstraints(AlgorithmConstraints.DISALLOW_NONE).setJweAlgorithmConstraints(AlgorithmConstraints.DISALLOW_NONE).setJweContentEncryptionAlgorithmConstraints(AlgorithmConstraints.DISALLOW_NONE).setSkipDefaultAudienceValidation().setRequireExpirationTime().setAllowedClockSkewInSeconds(30).setVerificationKeyResolver(new HttpsJwksVerificationKeyResolver(new HttpsJwks(this.jwksUriIdp.toString()))).build();
    }

    public OidcAuthResponse getIdpAuthUri(UriInfo uriInfo, URI uri) {
        String callbackUri = getCallbackUri(uriInfo, uri);
        String str = UUID.randomUUID() + callbackUri;
        URI build = UriBuilder.fromUri(this.authorizeEndpointBaseUri).queryParam("response_type", "code").queryParam("client_id", this.clientIdIdp).queryParam("scope", getScopeParam(this.idpRefreshTokenEnabled)).queryParam("redirect_uri", callbackUri).queryParam("state", str).build(new Object[0]);
        String stateCookie = getStateCookie(str);
        log.info("Returning auth uri: {}", build);
        return new OidcAuthResponse(build, Collections.singletonList(stateCookie));
    }

    private String getCallbackUri(UriInfo uriInfo, URI uri) {
        URI build = UriBuilder.fromUri(uri).replacePath(uri.getPath().replace("/security/1.0/oidc/authenticate", "")).path(uriInfo.getRequestUri().getPath().replace("authenticate", "authorization-code/callback")).replaceQuery(null).build(new Object[0]);
        log.info("CallbackUri for inputUri: " + uriInfo.getRequestUri() + " is: " + build);
        return build.toString();
    }

    private String getScopeParam(boolean z) {
        StringBuilder sb = new StringBuilder("openid");
        if (z) {
            sb.append(" offline_access");
        }
        if (!Strings.isNullOrEmpty(this.scopeForGroupsClaim)) {
            sb.append(" ").append(this.scopeForGroupsClaim);
        }
        return sb.toString();
    }

    private String getStateCookie(String str) {
        return "o2state=" + this.encryptionHandler.encrypt(str) + "; HttpOnly; Secure; Path=/; Expires=" + getCookieExpiry(Duration.ofMinutes(10L).getSeconds()) + "; SameSite=Lax; Max-Age=" + Duration.ofMinutes(10L).getSeconds();
    }

    private String getCookieExpiry(long j) {
        return j <= 0 ? DateGenerator.formatCookieDate(0L).trim() : DateGenerator.formatCookieDate(System.currentTimeMillis() + (1000 * j));
    }

    public OidcAuthResponse handleCallback(Cookie cookie, String str, String str2, String str3, String str4) {
        verifyState(cookie, str);
        handleError(str3, str4);
        String callbackUriFromState = getCallbackUriFromState(str);
        TokenResponse exchangeAuthorizationCodeForTokens = exchangeAuthorizationCodeForTokens(str2, callbackUriFromState);
        JwtClaims validateIdTokenAndCollectClaims = validateIdTokenAndCollectClaims(exchangeAuthorizationCodeForTokens);
        String uuid = UUID.randomUUID().toString();
        encryptAndStoreRefreshToken(exchangeAuthorizationCodeForTokens, validateIdTokenAndCollectClaims, uuid);
        String subjectFromJwtClaims = getSubjectFromJwtClaims(validateIdTokenAndCollectClaims);
        long idTokenRemainingValidity = getIdTokenRemainingValidity(validateIdTokenAndCollectClaims);
        return new OidcAuthResponse(getHomeUri(callbackUriFromState), Arrays.asList(this.tokenService.getCookieHeader(issueToken(validateIdTokenAndCollectClaims, subjectFromJwtClaims, uuid, idTokenRemainingValidity), getSessionTokenLifetime(idTokenRemainingValidity)), getDeleteStateCookieHeader()));
    }

    private void verifyState(Cookie cookie, String str) {
        if (Objects.isNull(cookie) || Strings.isNullOrEmpty(cookie.getValue())) {
            throw new InvalidStateException("o2state missing or empty in cookies");
        }
        String decrypt = this.encryptionHandler.decrypt(cookie.getValue());
        if (decrypt.equals(str)) {
            return;
        }
        log.error("state stored in cookies: {}, state received in callback: {}.", decrypt, str);
        throw new InvalidStateException("Invalid state parameter");
    }

    private void handleError(String str, String str2) {
        if (Strings.isNullOrEmpty(str)) {
            return;
        }
        log.error("Request failed or denied by IdP. error:{}. description:{}", str, str2);
        throw new AuthorizationResponseException(str);
    }

    private String getCallbackUriFromState(String str) {
        if (Objects.isNull(str) || str.length() < 36) {
            log.error("Length of state is less than 36. State={}", str);
            return "";
        }
        String substring = str.substring(36);
        log.info("CallbackUri from state is: {}", substring);
        return substring;
    }

    private TokenResponse exchangeAuthorizationCodeForTokens(String str, String str2) {
        CompletionStage<Response> tokensAsync = getTokensAsync(createTokenRequestForm(str, str2), getEncodedCredentials(this.clientIdIdp, this.clientSecretIdp));
        log.debug("Fetching idp tokens using authorization code. callbackUri={}", str2);
        return fetchIdpTokens(tokensAsync);
    }

    private Form createTokenRequestForm(String str, String str2) {
        if (Strings.isNullOrEmpty(str)) {
            throw new InvalidCodeException("authorization code is null or empty");
        }
        return new Form().param("grant_type", "authorization_code").param("code", str).param("redirect_uri", str2);
    }

    private String getEncodedCredentials(String str, String str2) {
        return Base64.getEncoder().encodeToString((str + QualifiedSubject.CONTEXT_DELIMITER + str2).getBytes(StandardCharsets.UTF_8));
    }

    private CompletionStage<Response> getTokensAsync(Form form, String str) {
        return this.httpClient.target(this.tokenEndpointBaseUri).request().header("Authorization", "Basic " + str).accept("application/json").rx().post(Entity.entity(form, "application/x-www-form-urlencoded"));
    }

    private TokenResponse fetchIdpTokens(CompletionStage<Response> completionStage) {
        try {
            return (TokenResponse) completionStage.thenApply(this::processResponse).toCompletableFuture().get();
        } catch (Exception e) {
            log.error("Exception in async http call of getting tokens: " + e.getMessage(), (Throwable) e);
            throw new TokenResponseException(e.getMessage(), e);
        }
    }

    private TokenResponse processResponse(Response response) {
        if (response == null) {
            throw new TokenResponseException("Response is null");
        }
        if (Response.Status.OK.getStatusCode() == response.getStatus()) {
            log.debug("Successful token response from IDP: {}", Integer.valueOf(response.getStatus()));
            return (TokenResponse) response.readEntity(TokenResponse.class);
        }
        if (Response.Status.BAD_REQUEST.getStatusCode() == response.getStatus()) {
            throw new RuntimeException("Got bad request status from IdP: " + ((String) response.readEntity(String.class)));
        }
        String str = "Failed to retrieve tokens from IDP with status:" + response.getStatus();
        String str2 = (String) response.readEntity(String.class);
        if (!Strings.isNullOrEmpty(str2)) {
            str = str + ". Error: " + str2;
        }
        throw new RuntimeException(str);
    }

    private JwtClaims validateIdTokenAndCollectClaims(TokenResponse tokenResponse) {
        try {
            JwtClaims processToClaims = this.jwtConsumer.processToClaims(tokenResponse.getIdToken());
            if (Objects.isNull(processToClaims.getJwtId()) && processToClaims.getClaimValue("uti", String.class) == null) {
                throw new RuntimeException("Missing jti / uti claim");
            }
            getSubjectFromJwtClaims(processToClaims);
            getGroupsFromJwtClaims(processToClaims);
            return processToClaims;
        } catch (Exception e) {
            log.error("Failed to validate id token form IdP. Error: {}", e.getMessage());
            throw new InvalidTokenException(e);
        }
    }

    private String getSubjectFromJwtClaims(JwtClaims jwtClaims) {
        if (!jwtClaims.hasClaim(this.subClaimName)) {
            throw new InvalidTokenException(this.subClaimName + "(sub claim) not present");
        }
        try {
            String str = (String) jwtClaims.getClaimValue(this.subClaimName, String.class);
            if (Strings.isNullOrEmpty(str)) {
                throw new InvalidTokenException(this.subClaimName + "(sub claim) is:" + str);
            }
            return str;
        } catch (MalformedClaimException e) {
            throw new InvalidTokenException(this.subClaimName + "(sub claim) not a String");
        }
    }

    private Set<String> getGroupsFromJwtClaims(JwtClaims jwtClaims) {
        if (!jwtClaims.hasClaim(this.groupsClaimName)) {
            return Collections.emptySet();
        }
        Object claimValue = jwtClaims.getClaimValue(this.groupsClaimName);
        HashSet hashSet = new HashSet();
        if (!(claimValue instanceof List)) {
            throw new InvalidTokenException("groups is not a List. Actual type:" + claimValue.getClass());
        }
        for (Object obj : (List) claimValue) {
            if (!(obj instanceof String)) {
                throw new InvalidTokenException("group is not a String. Actual type:" + obj.getClass());
            }
            hashSet.add((String) obj);
        }
        return hashSet;
    }

    private void encryptAndStoreRefreshToken(TokenResponse tokenResponse, JwtClaims jwtClaims, String str) {
        if (Strings.isNullOrEmpty(tokenResponse.getRefreshToken())) {
            log.info("No refresh token for iss:{} sub:{}", this.idpIssuer, getSubjectFromJwtClaims(jwtClaims));
            return;
        }
        String encrypt = this.encryptionHandler.encrypt(tokenResponse.getRefreshToken());
        String subjectFromJwtClaims = getSubjectFromJwtClaims(jwtClaims);
        long issuedTimeEpoch = getIssuedTimeEpoch(jwtClaims);
        log.info("Storing refresh token - issuer:{}, issuedAt:{}, sub:{}, ssid:{}", this.idpIssuer, Long.valueOf(issuedTimeEpoch), subjectFromJwtClaims, str);
        this.trustWriter.addRefreshTokenInfo(this.idpIssuer, encrypt, issuedTimeEpoch, subjectFromJwtClaims, str);
    }

    private long getIssuedTimeEpoch(JwtClaims jwtClaims) {
        try {
            return jwtClaims.getIssuedAt().getValue();
        } catch (MalformedClaimException e) {
            return System.currentTimeMillis() / 1000;
        }
    }

    private String issueToken(JwtClaims jwtClaims, String str, String str2, long j) {
        long currentTimeMillis = (System.currentTimeMillis() / 1000) + j;
        HashMap hashMap = new HashMap();
        hashMap.put("groups", getGroupsFromJwtClaims(jwtClaims));
        hashMap.put("mex", Long.valueOf(currentTimeMillis));
        hashMap.put(TOKEN_SESSION_ID, str2);
        long sessionTokenLifetime = getSessionTokenLifetime(j);
        log.info("Issuing token to `{}` with validity:`{}` and mex:`{}`", str, Long.valueOf(sessionTokenLifetime), Long.valueOf(currentTimeMillis));
        return this.tokenService.issueToken(new KafkaPrincipal("User", str), hashMap, sessionTokenLifetime, Collections.emptyList());
    }

    private long getSessionTokenLifetime(long j) {
        return Math.min(this.sessionTokenMaxExtendabilityMs / 1000, Math.min(this.sessionTokenLifetimeMs / 1000, j));
    }

    private long getIdTokenRemainingValidity(JwtClaims jwtClaims) {
        try {
            return Math.max(0L, Math.min(this.sessionTokenMaxExtendabilityMs / 1000, jwtClaims.getExpirationTime().getValue() - (System.currentTimeMillis() / 1000)));
        } catch (MalformedClaimException e) {
            log.error("exp claim not present in JwtClaims");
            return 0L;
        }
    }

    private String getDeleteStateCookieHeader() {
        return "o2state=; HttpOnly; Secure; Path=/; Expires=" + getCookieExpiry(0L) + "; SameSite=Strict; Max-Age=0";
    }

    private URI getHomeUri(String str) {
        return UriBuilder.fromUri(URI.create(str)).replacePath(null).replaceQuery(null).build(new Object[0]);
    }

    public OidcAuthResponse refreshConfluentTokenIfApplicable(SecurityContext securityContext, Cookie cookie) {
        if (isInvalidPrincipal(securityContext.getUserPrincipal())) {
            return new OidcAuthResponse(null, Collections.emptyList());
        }
        JwtPrincipal jwtPrincipal = (JwtPrincipal) securityContext.getUserPrincipal();
        RefreshTokenInfo refreshTokenInfoFromCache = getRefreshTokenInfoFromCache(jwtPrincipal);
        return authTokenExpiredOrCannotBeExtended(refreshTokenInfoFromCache, jwtPrincipal) ? new OidcAuthResponse(null, Collections.emptyList(), jwtPrincipal.getJwt(), Long.valueOf(getLongValue(jwtPrincipal, "exp"))) : useRefreshTokensForExtension(refreshTokenInfoFromCache, jwtPrincipal) ? extendSessionUsingRefreshToken(refreshTokenInfoFromCache, jwtPrincipal) : extendSessionUsingMexTokenClaim(cookie, jwtPrincipal);
    }

    private boolean isInvalidPrincipal(Principal principal) {
        if (!Objects.isNull(principal) && (principal instanceof JwtPrincipal)) {
            return false;
        }
        log.error("context user principal=`{}` is not valid", principal);
        return true;
    }

    private RefreshTokenInfo getRefreshTokenInfoFromCache(Principal principal) {
        log.info("Fetching refresh token info from cache for principal : {}", principal.getName());
        return this.trustCache.refreshTokenInfo(RefreshTokenInfoKey.cacheKey(this.idpIssuer, principal.getName()));
    }

    private boolean authTokenExpiredOrCannotBeExtended(RefreshTokenInfo refreshTokenInfo, JwtPrincipal jwtPrincipal) {
        long longValue = getLongValue(jwtPrincipal, "exp");
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        if (longValue < currentTimeMillis) {
            log.info("auth_token already expired for {}. expSec:{}, currentTimeSec:{}", jwtPrincipal.getName(), Long.valueOf(longValue), Long.valueOf(currentTimeMillis));
            return true;
        }
        if (useRefreshTokensForExtension(refreshTokenInfo, jwtPrincipal)) {
            if (currentTimeMillis - refreshTokenInfo.issuedAt() <= this.sessionTokenMaxExtendabilityMs / 1000) {
                return false;
            }
            log.info("auth_token cannot be extended beyond abs timeout for {}. refreshTkIssuedAt:{}, currentTimeSec:{}, absoluteTimeoutSec:{}", jwtPrincipal.getName(), Long.valueOf(refreshTokenInfo.issuedAt()), Long.valueOf(currentTimeMillis), Long.valueOf(this.sessionTokenMaxExtendabilityMs / 1000));
            return true;
        }
        long longValue2 = getLongValue(jwtPrincipal, "mex");
        if (longValue2 >= currentTimeMillis) {
            return false;
        }
        log.info("auth_token cannot be extended beyond mex for {}. mex:{}, currentTimeSec:{}", jwtPrincipal.getName(), Long.valueOf(longValue2), Long.valueOf(currentTimeMillis));
        return true;
    }

    private boolean useRefreshTokensForExtension(RefreshTokenInfo refreshTokenInfo, JwtPrincipal jwtPrincipal) {
        return Objects.nonNull(refreshTokenInfo) && !Strings.isNullOrEmpty(refreshTokenInfo.encryptedRefreshToken()) && Objects.nonNull(refreshTokenInfo.sessionId()) && refreshTokenInfo.sessionId().equals(jwtPrincipal.jwtClaims().getOrDefault(TOKEN_SESSION_ID, null));
    }

    private OidcAuthResponse extendSessionUsingRefreshToken(RefreshTokenInfo refreshTokenInfo, JwtPrincipal jwtPrincipal) {
        log.info("Extending session using refresh token for iss:{}, principal:{}, ssid:{}", refreshTokenInfo.issuer(), jwtPrincipal.getName(), refreshTokenInfo.sessionId());
        JwtClaims validateIdTokenAndCollectClaims = validateIdTokenAndCollectClaims(getTokensFromRefreshToken(refreshTokenInfo));
        String str = (String) jwtPrincipal.jwtClaims().getOrDefault(TOKEN_SESSION_ID, null);
        long min = Math.min((((refreshTokenInfo.issuedAt() * 1000) + this.sessionTokenMaxExtendabilityMs) - System.currentTimeMillis()) / 1000, getIdTokenRemainingValidity(validateIdTokenAndCollectClaims));
        String issueToken = issueToken(validateIdTokenAndCollectClaims, jwtPrincipal.getName(), str, min);
        long sessionTokenLifetime = getSessionTokenLifetime(min);
        return new OidcAuthResponse(null, Collections.singletonList(this.tokenService.getCookieHeader(issueToken, sessionTokenLifetime)), issueToken, Long.valueOf(sessionTokenLifetime + (System.currentTimeMillis() / 1000)));
    }

    private TokenResponse getTokensFromRefreshToken(RefreshTokenInfo refreshTokenInfo) {
        CompletionStage<Response> tokensAsync = getTokensAsync(createTokenRequestFormUsingRefreshToken(this.encryptionHandler.decrypt(refreshTokenInfo.encryptedRefreshToken())), getEncodedCredentials(this.clientIdIdp, this.clientSecretIdp));
        log.info("Fetching idp tokens using refresh token for `{}`", refreshTokenInfo.subClaim());
        return fetchIdpTokens(tokensAsync);
    }

    private Form createTokenRequestFormUsingRefreshToken(String str) {
        return new Form().param("grant_type", "refresh_token").param("refresh_token", str).param("scope", getScopeParam(false));
    }

    private OidcAuthResponse extendSessionUsingMexTokenClaim(Cookie cookie, JwtPrincipal jwtPrincipal) {
        RefreshTokenRequest refreshTokenRequest = new RefreshTokenRequest(cookie.getValue(), "");
        long tokenLifetime = getTokenLifetime(jwtPrincipal);
        log.info("Extending session using mex for sub:{} by:{}", jwtPrincipal.getName(), Long.valueOf(tokenLifetime));
        String refreshToken = this.tokenService.refreshToken(jwtPrincipal, refreshTokenRequest, Collections.emptyMap(), tokenLifetime);
        return new OidcAuthResponse(null, Collections.singletonList(this.tokenService.getCookieHeader(refreshToken, tokenLifetime)), refreshToken, Long.valueOf(tokenLifetime + (System.currentTimeMillis() / 1000)));
    }

    private long getTokenLifetime(JwtPrincipal jwtPrincipal) {
        return getSessionTokenLifetime(Math.max(0L, getLongValue(jwtPrincipal, "mex") - (System.currentTimeMillis() / 1000)));
    }

    private long getLongValue(JwtPrincipal jwtPrincipal, String str) {
        Object orDefault = jwtPrincipal.jwtClaims().getOrDefault(str, 0L);
        if (orDefault instanceof Long) {
            return ((Long) orDefault).longValue();
        }
        if (orDefault instanceof String) {
            try {
                return Long.parseLong((String) orDefault);
            } catch (Exception e) {
            }
        }
        log.error("jwt claim=`{}` is not of type long", str);
        return 0L;
    }

    public OidcAuthResponse clearToken(SecurityContext securityContext) {
        if (isInvalidPrincipal(securityContext.getUserPrincipal())) {
            return clearAuthTokenResponse();
        }
        JwtPrincipal jwtPrincipal = (JwtPrincipal) securityContext.getUserPrincipal();
        RefreshTokenInfo refreshTokenInfoFromCache = getRefreshTokenInfoFromCache(jwtPrincipal);
        if (Objects.nonNull(refreshTokenInfoFromCache) && Objects.nonNull(refreshTokenInfoFromCache.sessionId()) && refreshTokenInfoFromCache.sessionId().equals(jwtPrincipal.jwtClaims().getOrDefault(TOKEN_SESSION_ID, null))) {
            this.trustWriter.removeRefreshTokenInfo(this.idpIssuer, securityContext.getUserPrincipal().getName());
        }
        return clearAuthTokenResponse();
    }

    private OidcAuthResponse clearAuthTokenResponse() {
        return new OidcAuthResponse(null, Collections.singletonList(this.tokenService.getCookieHeader("", 0L)));
    }

    @VisibleForTesting
    public void setJwtConsumer(JwtConsumer jwtConsumer) {
        this.jwtConsumer = jwtConsumer;
    }
}
