package org.keycloak.protocol.oidc;

import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.OPTIONS;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriBuilder;
import jakarta.ws.rs.core.UriInfo;
import org.jboss.resteasy.reactive.NoCache;
import org.keycloak.common.ClientConnection;
import org.keycloak.events.EventBuilder;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.http.HttpRequest;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint;
import org.keycloak.protocol.oidc.endpoints.LoginStatusIframeEndpoint;
import org.keycloak.protocol.oidc.endpoints.LogoutEndpoint;
import org.keycloak.protocol.oidc.endpoints.ThirdPartyCookiesIframeEndpoint;
import org.keycloak.protocol.oidc.endpoints.TokenEndpoint;
import org.keycloak.protocol.oidc.endpoints.TokenRevocationEndpoint;
import org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint;
import org.keycloak.protocol.oidc.ext.OIDCExtProvider;
import org.keycloak.protocol.oidc.utils.JWKSServerUtils;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.cors.Cors;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/protocol/oidc/OIDCLoginProtocolService.class */
public class OIDCLoginProtocolService {
    private final RealmModel realm;
    private final TokenManager tokenManager = new TokenManager();
    private final EventBuilder event;
    private final KeycloakSession session;
    private final HttpHeaders headers;
    private final HttpRequest request;
    private final ClientConnection clientConnection;

    public OIDCLoginProtocolService(KeycloakSession keycloakSession, EventBuilder eventBuilder) {
        this.session = keycloakSession;
        this.clientConnection = keycloakSession.getContext().getConnection();
        this.realm = keycloakSession.getContext().getRealm();
        this.event = eventBuilder;
        this.request = keycloakSession.getContext().getHttpRequest();
        this.headers = keycloakSession.getContext().getRequestHeaders();
    }

    public static UriBuilder tokenServiceBaseUrl(UriInfo uriInfo) {
        return tokenServiceBaseUrl(uriInfo.getBaseUriBuilder());
    }

    public static UriBuilder tokenServiceBaseUrl(UriBuilder uriBuilder) {
        return uriBuilder.path(RealmsResource.class).path("{realm}/protocol/openid-connect");
    }

    public static UriBuilder authUrl(UriInfo uriInfo) {
        return authUrl(uriInfo.getBaseUriBuilder());
    }

    public static UriBuilder authUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OIDCLoginProtocolService.class, "auth");
    }

    public static UriBuilder registrationsUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OIDCLoginProtocolService.class, "registrations");
    }

    public static UriBuilder tokenUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OIDCLoginProtocolService.class, "token");
    }

    public static UriBuilder certsUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OIDCLoginProtocolService.class, "certs");
    }

    public static UriBuilder userInfoUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OIDCLoginProtocolService.class, "issueUserInfo");
    }

    public static UriBuilder tokenIntrospectionUrl(UriBuilder uriBuilder) {
        return tokenUrl(uriBuilder).path(TokenEndpoint.class, "introspect");
    }

    public static UriBuilder logoutUrl(UriInfo uriInfo) {
        return logoutUrl(uriInfo.getBaseUriBuilder());
    }

    public static UriBuilder logoutUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OIDCLoginProtocolService.class, "logout");
    }

    public static UriBuilder tokenRevocationUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OIDCLoginProtocolService.class, "revoke");
    }

    @Path("auth")
    public Object auth() {
        return new AuthorizationEndpoint(this.session, this.event);
    }

    @Path("registrations")
    public Object registrations(@QueryParam("token") String str) {
        return new AuthorizationEndpoint(this.session, this.event).register(str);
    }

    @Path("forgot-credentials")
    public Object forgotCredentialsPage() {
        return new AuthorizationEndpoint(this.session, this.event).forgotCredentials();
    }

    @Path("token")
    public Object token() {
        return new TokenEndpoint(this.session, this.tokenManager, this.event);
    }

    @Path("login-status-iframe.html")
    public Object getLoginStatusIframe() {
        return new LoginStatusIframeEndpoint(this.session);
    }

    @Path("3p-cookies")
    public Object thirdPartyCookiesCheck() {
        return new ThirdPartyCookiesIframeEndpoint(this.session);
    }

    @Produces({MediaType.APPLICATION_JSON})
    @Path("certs")
    @OPTIONS
    public Response getVersionPreflight() {
        return Cors.builder().allowedMethods(new String[]{"GET"}).preflight().auth().add(Response.ok());
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @GET
    @Path("certs")
    public Response certs() {
        checkSsl();
        return Cors.builder().allowedOrigins(new String[]{"*"}).auth().add(Response.ok(JWKSServerUtils.getRealmJwks(this.session, this.realm)).cacheControl(CacheControlUtil.getDefaultCacheControl()));
    }

    @Path("userinfo")
    public Object issueUserInfo() {
        return new UserInfoEndpoint(this.session, this.tokenManager);
    }

    @Path("logout")
    public Object logout() {
        return new LogoutEndpoint(this.session, this.tokenManager, this.event);
    }

    @Path("revoke")
    public Object revoke() {
        return new TokenRevocationEndpoint(this.session, this.event);
    }

    @Path("oauth/oob")
    @GET
    public Response installedAppUrnCallback(@QueryParam("code") String str, @QueryParam("error") String str2, @QueryParam("error_description") String str3) {
        LoginFormsProvider provider = this.session.getProvider(LoginFormsProvider.class);
        return str != null ? provider.setClientSessionCode(str).createCode() : provider.setError(str2, new Object[0]).createCode();
    }

    @Path("ext/{extension}")
    public Object resolveExtension(@PathParam("extension") String str) {
        OIDCExtProvider oIDCExtProvider = (OIDCExtProvider) this.session.getProvider(OIDCExtProvider.class, str);
        if (oIDCExtProvider == null) {
            throw new NotFoundException();
        }
        oIDCExtProvider.setEvent(this.event);
        return oIDCExtProvider;
    }

    private void checkSsl() {
        if (!this.session.getContext().getUri().getBaseUri().getScheme().equals("https") && this.realm.getSslRequired().isRequired(this.clientConnection)) {
            throw new CorsErrorResponseException(Cors.builder().auth().allowedMethods(new String[]{this.request.getHttpMethod()}).auth().exposedHeaders(new String[]{"Access-Control-Allow-Methods"}).allowAllOrigins(), "invalid_request", "HTTPS required", Response.Status.FORBIDDEN);
        }
    }
}
