package org.keycloak.protocol.oid4vc.issuance;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.google.zxing.BarcodeFormat;
import com.google.zxing.WriterException;
import com.google.zxing.client.j2se.MatrixToImageWriter;
import com.google.zxing.common.BitMatrix;
import com.google.zxing.qrcode.QRCodeWriter;
import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DefaultValue;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.Response;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.common.util.SecretGenerator;
import org.keycloak.component.ComponentFactory;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.ProtocolMapper;
import org.keycloak.protocol.oid4vc.OID4VCClientRegistrationProvider;
import org.keycloak.protocol.oid4vc.OID4VCLoginProtocolFactory;
import org.keycloak.protocol.oid4vc.issuance.credentialbuilder.CredentialBuilder;
import org.keycloak.protocol.oid4vc.issuance.keybinding.ProofValidator;
import org.keycloak.protocol.oid4vc.issuance.mappers.OID4VCMapper;
import org.keycloak.protocol.oid4vc.issuance.signing.CredentialSigner;
import org.keycloak.protocol.oid4vc.model.CredentialOfferURI;
import org.keycloak.protocol.oid4vc.model.CredentialRequest;
import org.keycloak.protocol.oid4vc.model.CredentialResponse;
import org.keycloak.protocol.oid4vc.model.CredentialsOffer;
import org.keycloak.protocol.oid4vc.model.ErrorResponse;
import org.keycloak.protocol.oid4vc.model.ErrorType;
import org.keycloak.protocol.oid4vc.model.Format;
import org.keycloak.protocol.oid4vc.model.OID4VCClient;
import org.keycloak.protocol.oid4vc.model.OfferUriType;
import org.keycloak.protocol.oid4vc.model.PreAuthorizedCode;
import org.keycloak.protocol.oid4vc.model.PreAuthorizedGrant;
import org.keycloak.protocol.oid4vc.model.Proof;
import org.keycloak.protocol.oid4vc.model.SupportedCredentialConfiguration;
import org.keycloak.protocol.oid4vc.model.VerifiableCredential;
import org.keycloak.protocol.oidc.grants.PreAuthorizedCodeGrantType;
import org.keycloak.protocol.oidc.grants.PreAuthorizedCodeGrantTypeFactory;
import org.keycloak.protocol.oidc.utils.OAuth2Code;
import org.keycloak.protocol.oidc.utils.OAuth2CodeParser;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.cors.Cors;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;
import org.keycloak.util.JsonSerialization;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/protocol/oid4vc/issuance/OID4VCIssuerEndpoint.class */
public class OID4VCIssuerEndpoint {
    private static final Logger LOGGER = Logger.getLogger(OID4VCIssuerEndpoint.class);
    private Cors cors;
    private static final String CODE_LIFESPAN_REALM_ATTRIBUTE_KEY = "preAuthorizedCodeLifespanS";
    private static final int DEFAULT_CODE_LIFESPAN_S = 30;
    public static final String CREDENTIAL_PATH = "credential";
    public static final String CREDENTIAL_OFFER_PATH = "credential-offer/";
    public static final String RESPONSE_TYPE_IMG_PNG = "image/png";
    public static final String CREDENTIAL_OFFER_URI_CODE_SCOPE = "credential-offer";
    private final KeycloakSession session;
    private final AppAuthManager.BearerTokenAuthenticator bearerTokenAuthenticator;
    private final TimeProvider timeProvider;
    private final int preAuthorizedCodeLifeSpan;
    private final Map<String, CredentialBuilder> credentialBuilders;
    private final boolean isIgnoreScopeCheck;

    /* renamed from: org.keycloak.protocol.oid4vc.issuance.OID4VCIssuerEndpoint$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/protocol/oid4vc/issuance/OID4VCIssuerEndpoint$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$protocol$oid4vc$model$OfferUriType = new int[OfferUriType.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$protocol$oid4vc$model$OfferUriType[OfferUriType.URI.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$oid4vc$model$OfferUriType[OfferUriType.QR_CODE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public OID4VCIssuerEndpoint(KeycloakSession keycloakSession, Map<String, CredentialBuilder> map, AppAuthManager.BearerTokenAuthenticator bearerTokenAuthenticator, TimeProvider timeProvider, int i, boolean z) {
        this.session = keycloakSession;
        this.bearerTokenAuthenticator = bearerTokenAuthenticator;
        this.timeProvider = timeProvider;
        this.credentialBuilders = map;
        this.preAuthorizedCodeLifeSpan = i;
        this.isIgnoreScopeCheck = z;
    }

    public OID4VCIssuerEndpoint(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
        this.bearerTokenAuthenticator = new AppAuthManager.BearerTokenAuthenticator(keycloakSession);
        this.timeProvider = new OffsetTimeProvider();
        this.credentialBuilders = loadCredentialBuilders(this.session);
        this.preAuthorizedCodeLifeSpan = ((Integer) Optional.ofNullable(keycloakSession.getContext().getRealm().getAttribute(CODE_LIFESPAN_REALM_ATTRIBUTE_KEY)).map(Integer::valueOf).orElse(30)).intValue();
        this.isIgnoreScopeCheck = false;
    }

    private Map<String, CredentialBuilder> loadCredentialBuilders(KeycloakSession keycloakSession) {
        KeycloakSessionFactory keycloakSessionFactory = keycloakSession.getKeycloakSessionFactory();
        RealmModel realm = keycloakSession.getContext().getRealm();
        return (Map) realm.getComponentsStream(realm.getId(), CredentialBuilder.class.getName()).map(componentModel -> {
            ComponentFactory providerFactory = keycloakSessionFactory.getProviderFactory(CredentialBuilder.class, componentModel.getProviderId());
            if (providerFactory instanceof ComponentFactory) {
                return (CredentialBuilder) providerFactory.create(keycloakSession, componentModel);
            }
            throw new IllegalArgumentException(String.format("Component %s is unexpectedly not a ComponentFactory", componentModel.getProviderId()));
        }).collect(Collectors.toMap((v0) -> {
            return v0.getSupportedFormat();
        }, credentialBuilder -> {
            return credentialBuilder;
        }));
    }

    @Produces({MediaType.APPLICATION_JSON, RESPONSE_TYPE_IMG_PNG})
    @GET
    @Path("credential-offer-uri")
    public Response getCredentialOfferURI(@QueryParam("credential_configuration_id") String str, @QueryParam("type") @DefaultValue("uri") OfferUriType offerUriType, @QueryParam("width") @DefaultValue("200") int i, @QueryParam("height") @DefaultValue("200") int i2) {
        AuthenticatedClientSessionModel authenticatedClientSession = getAuthenticatedClientSession();
        Map<String, SupportedCredentialConfiguration> supportedCredentials = OID4VCIssuerWellKnownProvider.getSupportedCredentials(this.session);
        LOGGER.debugf("Get an offer for %s", str);
        if (!supportedCredentials.containsKey(str)) {
            LOGGER.debugf("No credential with id %s exists.", str);
            LOGGER.debugf("Supported credentials are %s.", supportedCredentials);
            throw new BadRequestException(getErrorResponse(ErrorType.INVALID_CREDENTIAL_REQUEST));
        }
        SupportedCredentialConfiguration supportedCredentialConfiguration = supportedCredentials.get(str);
        int currentTimeSeconds = this.timeProvider.currentTimeSeconds() + this.preAuthorizedCodeLifeSpan;
        CredentialsOffer grants = new CredentialsOffer().setCredentialIssuer(OID4VCIssuerWellKnownProvider.getIssuer(this.session.getContext())).setCredentialConfigurationIds(List.of(supportedCredentialConfiguration.getId())).setGrants(new PreAuthorizedGrant().setPreAuthorizedCode(new PreAuthorizedCode().setPreAuthorizedCode(generateAuthorizationCodeForClientSession(currentTimeSeconds, authenticatedClientSession))));
        String generateCodeForSession = generateCodeForSession(currentTimeSeconds, authenticatedClientSession);
        try {
            authenticatedClientSession.setNote(generateCodeForSession, JsonSerialization.mapper.writeValueAsString(grants));
            switch (AnonymousClass1.$SwitchMap$org$keycloak$protocol$oid4vc$model$OfferUriType[offerUriType.ordinal()]) {
                case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                    return getOfferUriAsUri(generateCodeForSession);
                case 2:
                    return getOfferUriAsQr(generateCodeForSession, i, i2);
                default:
                    throw new IncompatibleClassChangeError();
            }
        } catch (JsonProcessingException e) {
            LOGGER.errorf("Could not convert the offer POJO to JSON: %s", e.getMessage());
            throw new BadRequestException(getErrorResponse(ErrorType.INVALID_CREDENTIAL_REQUEST));
        }
    }

    private Response getOfferUriAsUri(String str) {
        return Response.ok().type(MediaType.APPLICATION_JSON).entity(new CredentialOfferURI().setIssuer(OID4VCIssuerWellKnownProvider.getIssuer(this.session.getContext()) + "/protocol/oid4vc/credential-offer/").setNonce(str)).build();
    }

    private Response getOfferUriAsQr(String str, int i, int i2) {
        try {
            BitMatrix encode = new QRCodeWriter().encode("openid-credential-offer://?credential_offer_uri=" + URLEncoder.encode(OID4VCIssuerWellKnownProvider.getIssuer(this.session.getContext()) + "/protocol/oid4vc/credential-offer/" + str, StandardCharsets.UTF_8), BarcodeFormat.QR_CODE, i, i2);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            MatrixToImageWriter.writeToStream(encode, "png", byteArrayOutputStream);
            return Response.ok().type(RESPONSE_TYPE_IMG_PNG).entity(byteArrayOutputStream.toByteArray()).build();
        } catch (WriterException | IOException e) {
            LOGGER.warnf("Was not able to create a qr code of dimension %s:%s.", Integer.valueOf(i), Integer.valueOf(i2), e);
            return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity("Was not able to generate qr.").build();
        }
    }

    @Produces({MediaType.APPLICATION_JSON})
    @GET
    @Path("credential-offer/{sessionCode}")
    public Response getCredentialOffer(@PathParam("sessionCode") String str) {
        if (str == null) {
            throw new BadRequestException(getErrorResponse(ErrorType.INVALID_CREDENTIAL_REQUEST));
        }
        CredentialsOffer offerFromSessionCode = getOfferFromSessionCode(str);
        LOGGER.debugf("Responding with offer: %s", offerFromSessionCode);
        return Response.ok().entity(offerFromSessionCode).build();
    }

    private void checkScope(CredentialRequest credentialRequest) {
        AuthenticatedClientSessionModel authenticatedClientSession = getAuthenticatedClientSession();
        String note = authenticatedClientSession.getNote(PreAuthorizedCodeGrantType.VC_ISSUANCE_FLOW);
        if (note != null && note.equals(PreAuthorizedCodeGrantTypeFactory.GRANT_TYPE)) {
            authenticatedClientSession.removeNote(PreAuthorizedCodeGrantType.VC_ISSUANCE_FLOW);
            return;
        }
        ClientModel client = authenticatedClientSession.getClient();
        String credentialIdentifier = credentialRequest.getCredentialIdentifier();
        String str = (String) client.getAttributes().get("vc." + credentialIdentifier + ".scope");
        AccessToken token = this.bearerTokenAuthenticator.authenticate().getToken();
        if (((Stream) Arrays.stream(token.getScope().split(" ")).sequential()).noneMatch(str2 -> {
            return str2.equals(str);
        })) {
            LOGGER.debugf("Scope check failure: credentialIdentifier = %s, required scope = %s, scope in access token = %s.", credentialIdentifier, str, token.getScope());
            throw new CorsErrorResponseException(this.cors, ErrorType.UNSUPPORTED_CREDENTIAL_TYPE.toString(), "Scope check failure", Response.Status.BAD_REQUEST);
        }
        LOGGER.debugf("Scope check success: credentialIdentifier = %s, required scope = %s, scope in access token = %s.", credentialIdentifier, str, token.getScope());
    }

    @Produces({MediaType.APPLICATION_JSON})
    @POST
    @Path(CREDENTIAL_PATH)
    @Consumes({MediaType.APPLICATION_JSON})
    public Response requestCredential(CredentialRequest credentialRequest) {
        LOGGER.debugf("Received credentials request %s.", credentialRequest);
        this.cors = Cors.builder().auth().allowedMethods(new String[]{"POST"}).auth().exposedHeaders(new String[]{"Access-Control-Allow-Methods"});
        AuthenticationManager.AuthResult authResult = getAuthResult();
        if (!this.isIgnoreScopeCheck) {
            checkScope(credentialRequest);
        }
        String credentialIdentifier = credentialRequest.getCredentialIdentifier();
        String format = credentialRequest.getFormat();
        if (credentialIdentifier == null && format == null) {
            LOGGER.debugf("Missing both configuration id and requested format. At least one shall be specified.", new Object[0]);
            throw new BadRequestException(getErrorResponse(ErrorType.MISSING_CREDENTIAL_CONFIG_AND_FORMAT));
        }
        Map<String, SupportedCredentialConfiguration> supportedCredentials = OID4VCIssuerWellKnownProvider.getSupportedCredentials(this.session);
        SupportedCredentialConfiguration supportedCredentialConfiguration = null;
        if (credentialIdentifier != null) {
            supportedCredentialConfiguration = supportedCredentials.get(credentialIdentifier);
            if (supportedCredentialConfiguration == null) {
                LOGGER.debugf("Credential with configuration id %s not found.", credentialIdentifier);
                throw new BadRequestException(getErrorResponse(ErrorType.UNSUPPORTED_CREDENTIAL_TYPE));
            }
            if (format != null && !format.equals(supportedCredentialConfiguration.getFormat())) {
                LOGGER.debugf("Credential with configuration id %s does not support requested format %s, but supports %s.", credentialIdentifier, format, supportedCredentialConfiguration.getFormat());
                throw new BadRequestException(getErrorResponse(ErrorType.UNSUPPORTED_CREDENTIAL_FORMAT));
            }
        }
        if (supportedCredentialConfiguration == null && format != null) {
            supportedCredentialConfiguration = getSupportedCredentialConfiguration(credentialRequest, supportedCredentials, format);
            if (supportedCredentialConfiguration == null) {
                LOGGER.debugf("Credential with requested format %s, not supported.", format);
                throw new BadRequestException(getErrorResponse(ErrorType.UNSUPPORTED_CREDENTIAL_FORMAT));
            }
        }
        CredentialResponse credentialResponse = new CredentialResponse();
        Object credential = getCredential(authResult, supportedCredentialConfiguration, credentialRequest);
        if (!Format.SUPPORTED_FORMATS.contains(format)) {
            throw new BadRequestException(getErrorResponse(ErrorType.UNSUPPORTED_CREDENTIAL_TYPE));
        }
        credentialResponse.setCredential(credential);
        return Response.ok().entity(credentialResponse).build();
    }

    private SupportedCredentialConfiguration getSupportedCredentialConfiguration(CredentialRequest credentialRequest, Map<String, SupportedCredentialConfiguration> map, String str) {
        List list;
        List list2 = (List) map.values().stream().filter(supportedCredentialConfiguration -> {
            return Objects.equals(supportedCredentialConfiguration.getFormat(), str);
        }).collect(Collectors.toList());
        boolean z = -1;
        switch (str.hashCode()) {
            case -1146827483:
                if (str.equals(Format.JWT_VC)) {
                    z = true;
                    break;
                }
                break;
            case -1107235244:
                if (str.equals(Format.LDP_VC)) {
                    z = 2;
                    break;
                }
                break;
            case 807405545:
                if (str.equals(Format.SD_JWT_VC)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                list = (List) list2.stream().filter(supportedCredentialConfiguration2 -> {
                    return Objects.equals(supportedCredentialConfiguration2.getVct(), credentialRequest.getVct());
                }).collect(Collectors.toList());
                break;
            case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
            case true:
                list = (List) list2.stream().filter(supportedCredentialConfiguration3 -> {
                    return Objects.equals(supportedCredentialConfiguration3.getCredentialDefinition(), credentialRequest.getCredentialDefinition());
                }).collect(Collectors.toList());
                break;
            default:
                throw new BadRequestException(getErrorResponse(ErrorType.UNSUPPORTED_CREDENTIAL_FORMAT));
        }
        if (list.isEmpty()) {
            throw new BadRequestException(getErrorResponse(ErrorType.MISSING_CREDENTIAL_CONFIG));
        }
        return (SupportedCredentialConfiguration) list.iterator().next();
    }

    private AuthenticatedClientSessionModel getAuthenticatedClientSession() {
        AuthenticationManager.AuthResult authResult = getAuthResult();
        AuthenticatedClientSessionModel authenticatedClientSessionByClient = authResult.getSession().getAuthenticatedClientSessionByClient(authResult.getClient().getId());
        if (authenticatedClientSessionByClient == null) {
            throw new BadRequestException(getErrorResponse(ErrorType.INVALID_TOKEN));
        }
        return authenticatedClientSessionByClient;
    }

    private AuthenticationManager.AuthResult getAuthResult() {
        return getAuthResult(new BadRequestException(getErrorResponse(ErrorType.INVALID_TOKEN)));
    }

    private AuthenticationManager.AuthResult getAuthResult(WebApplicationException webApplicationException) {
        AuthenticationManager.AuthResult authenticate = this.bearerTokenAuthenticator.authenticate();
        if (authenticate == null) {
            throw webApplicationException;
        }
        return authenticate;
    }

    private Object getCredential(AuthenticationManager.AuthResult authResult, SupportedCredentialConfiguration supportedCredentialConfiguration, CredentialRequest credentialRequest) {
        VCIssuanceContext vCToSign = getVCToSign(getClientScopeModel(supportedCredentialConfiguration).getProtocolMappersStream().map(protocolMapperModel -> {
            OID4VCMapper provider = this.session.getProvider(ProtocolMapper.class, protocolMapperModel.getProtocolMapper());
            if (provider instanceof OID4VCMapper) {
                ProtocolMapper create = provider.create(this.session);
                if (create instanceof OID4VCMapper) {
                    OID4VCMapper oID4VCMapper = (OID4VCMapper) create;
                    oID4VCMapper.setMapperModel(protocolMapperModel);
                    return oID4VCMapper;
                }
            }
            LOGGER.warnf("The protocol mapper %s is not an instance of OID4VCMapper.", protocolMapperModel.getId());
            return null;
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).toList(), supportedCredentialConfiguration, authResult, credentialRequest);
        enforceKeyBindingIfProofProvided(vCToSign);
        String format = credentialRequest.getFormat();
        return Optional.ofNullable((CredentialSigner) this.session.getProvider(CredentialSigner.class, format)).map(credentialSigner -> {
            return credentialSigner.signCredential(vCToSign.getCredentialBody(), supportedCredentialConfiguration.getCredentialBuildConfig());
        }).orElseThrow(() -> {
            return new BadRequestException(String.format("No signer found for format '%s'.", format));
        });
    }

    private ClientScopeModel getClientScopeModel(SupportedCredentialConfiguration supportedCredentialConfiguration) {
        ClientScopeModel clientScopeModel = (ClientScopeModel) this.session.getContext().getClient().getClientScopes(false).get(supportedCredentialConfiguration.getScope());
        if (clientScopeModel == null) {
            throw new BadRequestException("Client scope not found for the specified scope: " + supportedCredentialConfiguration.getScope());
        }
        return clientScopeModel;
    }

    private List<ProtocolMapperModel> getProtocolMappers(List<OID4VCClient> list) {
        return list.stream().map((v0) -> {
            return v0.getClientDid();
        }).map(this::getClient).flatMap((v0) -> {
            return v0.getProtocolMappersStream();
        }).toList();
    }

    private String generateCodeForSession(int i, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        return OAuth2CodeParser.persistCode(this.session, authenticatedClientSessionModel, new OAuth2Code(SecretGenerator.getInstance().randomString(), i, SecretGenerator.getInstance().randomString(), CREDENTIAL_OFFER_URI_CODE_SCOPE, null, null, null, null, authenticatedClientSessionModel.getUserSession().getId()));
    }

    private CredentialsOffer getOfferFromSessionCode(String str) {
        OAuth2CodeParser.ParseResult parseCode = OAuth2CodeParser.parseCode(this.session, str, this.session.getContext().getRealm(), new EventBuilder(this.session.getContext().getRealm(), this.session, this.session.getContext().getConnection()));
        if (!parseCode.isExpiredCode() && !parseCode.isIllegalCode()) {
            try {
                if (parseCode.getCodeData().getScope().equals(CREDENTIAL_OFFER_URI_CODE_SCOPE)) {
                    try {
                        CredentialsOffer credentialsOffer = (CredentialsOffer) JsonSerialization.mapper.readValue(parseCode.getClientSession().getNote(str), CredentialsOffer.class);
                        parseCode.getClientSession().removeNote(str);
                        return credentialsOffer;
                    } catch (JsonProcessingException e) {
                        LOGGER.errorf("Could not convert JSON to POJO: %s", e);
                        throw new BadRequestException(getErrorResponse(ErrorType.INVALID_TOKEN));
                    }
                }
            } catch (Throwable th) {
                parseCode.getClientSession().removeNote(str);
                throw th;
            }
        }
        throw new BadRequestException(getErrorResponse(ErrorType.INVALID_TOKEN));
    }

    private String generateAuthorizationCodeForClientSession(int i, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        return PreAuthorizedCodeGrantType.getPreAuthorizedCode(this.session, authenticatedClientSessionModel, i);
    }

    private Response getErrorResponse(ErrorType errorType) {
        ErrorResponse errorResponse = new ErrorResponse();
        errorResponse.setError(errorType);
        return Response.status(Response.Status.BAD_REQUEST).entity(errorResponse).type(MediaType.APPLICATION_JSON).build();
    }

    private ClientModel getClient(String str) {
        return this.session.clients().getClientByClientId(this.session.getContext().getRealm(), str);
    }

    private List<OID4VCClient> getOID4VCClientsFromSession() {
        return this.session.clients().getClientsStream(this.session.getContext().getRealm()).filter(clientModel -> {
            return clientModel.getProtocol() != null;
        }).filter(clientModel2 -> {
            return clientModel2.getProtocol().equals(OID4VCLoginProtocolFactory.PROTOCOL_ID);
        }).map(clientModel3 -> {
            return OID4VCClientRegistrationProvider.fromClientAttributes(clientModel3.getClientId(), clientModel3.getAttributes());
        }).toList();
    }

    private VCIssuanceContext getVCToSign(List<OID4VCMapper> list, SupportedCredentialConfiguration supportedCredentialConfiguration, AuthenticationManager.AuthResult authResult, CredentialRequest credentialRequest) {
        VerifiableCredential type = new VerifiableCredential().setIssuanceDate(Instant.ofEpochMilli(this.timeProvider.currentTimeMillis())).setType(List.of(supportedCredentialConfiguration.getScope()));
        HashMap hashMap = new HashMap();
        list.stream().filter(oID4VCMapper -> {
            return oID4VCMapper.isScopeSupported(supportedCredentialConfiguration.getScope());
        }).forEach(oID4VCMapper2 -> {
            oID4VCMapper2.setClaimsForSubject(hashMap, authResult.getSession());
        });
        hashMap.forEach((str, obj) -> {
            type.getCredentialSubject().setClaims(str, obj);
        });
        list.stream().filter(oID4VCMapper3 -> {
            return oID4VCMapper3.isScopeSupported(supportedCredentialConfiguration.getScope());
        }).forEach(oID4VCMapper4 -> {
            oID4VCMapper4.setClaimsForCredential(type, authResult.getSession());
        });
        LOGGER.debugf("The credential to sign is: %s", type);
        return new VCIssuanceContext().setAuthResult(authResult).setCredentialBody(findCredentialBuilder(supportedCredentialConfiguration).buildCredentialBody(type, supportedCredentialConfiguration.getCredentialBuildConfig())).setCredentialConfig(supportedCredentialConfiguration).setCredentialRequest(credentialRequest);
    }

    private void enforceKeyBindingIfProofProvided(VCIssuanceContext vCIssuanceContext) {
        Proof proof = vCIssuanceContext.getCredentialRequest().getProof();
        if (proof == null) {
            LOGGER.debugf("No proof provided, skipping key binding", new Object[0]);
            return;
        }
        ProofValidator proofValidator = (ProofValidator) this.session.getProvider(ProofValidator.class, proof.getProofType());
        if (proofValidator == null) {
            throw new BadRequestException(String.format("Unable to validate proofs of type %s", proof.getProofType()));
        }
        try {
            Optional.ofNullable(proofValidator.validateProof(vCIssuanceContext)).ifPresent(jwk -> {
                vCIssuanceContext.getCredentialBody().addKeyBinding(jwk);
            });
        } catch (VCIssuerException e) {
            throw new BadRequestException("Could not validate provided proof", e);
        }
    }

    private CredentialBuilder findCredentialBuilder(SupportedCredentialConfiguration supportedCredentialConfiguration) {
        String format = supportedCredentialConfiguration.getFormat();
        CredentialBuilder credentialBuilder = this.credentialBuilders.get(format);
        if (credentialBuilder == null) {
            throw new BadRequestException(String.format("No credential builder found for format %s", format));
        }
        return credentialBuilder;
    }
}
