package org.keycloak.protocol.oidc;

import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.keycloak.authentication.ClientAuthenticator;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.broker.oidc.OIDCIdentityProvider;
import org.keycloak.crypto.CekManagementProvider;
import org.keycloak.crypto.ClientSignatureVerifierProvider;
import org.keycloak.crypto.ContentEncryptionProvider;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakUriInfo;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.endpoints.TokenEndpoint;
import org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.provider.ProviderFactory;
import org.keycloak.services.Urls;
import org.keycloak.services.clientregistration.ClientRegistrationService;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.urls.UrlType;
import org.keycloak.wellknown.WellKnownProvider;

/* loaded from: input_file:org/keycloak/protocol/oidc/OIDCWellKnownProvider.class */
public class OIDCWellKnownProvider implements WellKnownProvider {
    public static final List<String> DEFAULT_GRANT_TYPES_SUPPORTED = list(AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE, "implicit", AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_REFRESH_TOKEN, "password", "client_credentials");
    public static final List<String> DEFAULT_RESPONSE_TYPES_SUPPORTED = list("code", "none", OIDCResponseType.ID_TOKEN, OIDCResponseType.TOKEN, "id_token token", "code id_token", "code token", "code id_token token");
    public static final List<String> DEFAULT_SUBJECT_TYPES_SUPPORTED = list("public", "pairwise");
    public static final List<String> DEFAULT_RESPONSE_MODES_SUPPORTED = list("query", "fragment", "form_post");
    public static final List<String> DEFAULT_CLIENT_AUTH_SIGNING_ALG_VALUES_SUPPORTED = list(Algorithm.RS256.toString());
    public static final List<String> DEFAULT_CLAIMS_SUPPORTED = list("aud", "sub", OIDCLoginProtocol.ISSUER, "auth_time", "name", "given_name", "family_name", "preferred_username", "email", "acr");
    public static final List<String> DEFAULT_CLAIM_TYPES_SUPPORTED = list("normal");
    public static final List<String> DEFAULT_CODE_CHALLENGE_METHODS_SUPPORTED = list(OIDCLoginProtocol.PKCE_METHOD_PLAIN, OIDCLoginProtocol.PKCE_METHOD_S256);
    private KeycloakSession session;

    public OIDCWellKnownProvider(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    @Override // org.keycloak.wellknown.WellKnownProvider
    public Object getConfig() {
        KeycloakUriInfo uri = this.session.getContext().getUri(UrlType.FRONTEND);
        KeycloakUriInfo uri2 = this.session.getContext().getUri(UrlType.BACKEND);
        RealmModel realm = this.session.getContext().getRealm();
        UriBuilder protocolUrl = RealmsResource.protocolUrl((UriInfo) uri);
        UriBuilder protocolUrl2 = RealmsResource.protocolUrl((UriInfo) uri2);
        OIDCConfigurationRepresentation oIDCConfigurationRepresentation = new OIDCConfigurationRepresentation();
        oIDCConfigurationRepresentation.setIssuer(Urls.realmIssuer(uri.getBaseUri(), realm.getName()));
        oIDCConfigurationRepresentation.setAuthorizationEndpoint(protocolUrl.clone().path(OIDCLoginProtocolService.class, "auth").build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setTokenEndpoint(protocolUrl2.clone().path(OIDCLoginProtocolService.class, OIDCResponseType.TOKEN).build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setTokenIntrospectionEndpoint(protocolUrl2.clone().path(OIDCLoginProtocolService.class, OIDCResponseType.TOKEN).path(TokenEndpoint.class, "introspect").build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setUserinfoEndpoint(protocolUrl2.clone().path(OIDCLoginProtocolService.class, "issueUserInfo").build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setLogoutEndpoint(protocolUrl.clone().path(OIDCLoginProtocolService.class, "logout").build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setJwksUri(protocolUrl2.clone().path(OIDCLoginProtocolService.class, "certs").build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setCheckSessionIframe(protocolUrl.clone().path(OIDCLoginProtocolService.class, "getLoginStatusIframe").build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setRegistrationEndpoint(RealmsResource.clientRegistrationUrl(uri2).path(ClientRegistrationService.class, "provider").build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setIdTokenSigningAlgValuesSupported(getSupportedSigningAlgorithms(false));
        oIDCConfigurationRepresentation.setIdTokenEncryptionAlgValuesSupported(getSupportedIdTokenEncryptionAlg(false));
        oIDCConfigurationRepresentation.setIdTokenEncryptionEncValuesSupported(getSupportedIdTokenEncryptionEnc(false));
        oIDCConfigurationRepresentation.setUserInfoSigningAlgValuesSupported(getSupportedSigningAlgorithms(true));
        oIDCConfigurationRepresentation.setRequestObjectSigningAlgValuesSupported(getSupportedClientSigningAlgorithms(true));
        oIDCConfigurationRepresentation.setResponseTypesSupported(DEFAULT_RESPONSE_TYPES_SUPPORTED);
        oIDCConfigurationRepresentation.setSubjectTypesSupported(DEFAULT_SUBJECT_TYPES_SUPPORTED);
        oIDCConfigurationRepresentation.setResponseModesSupported(DEFAULT_RESPONSE_MODES_SUPPORTED);
        oIDCConfigurationRepresentation.setGrantTypesSupported(DEFAULT_GRANT_TYPES_SUPPORTED);
        oIDCConfigurationRepresentation.setTokenEndpointAuthMethodsSupported(getClientAuthMethodsSupported());
        oIDCConfigurationRepresentation.setTokenEndpointAuthSigningAlgValuesSupported(getSupportedClientSigningAlgorithms(false));
        oIDCConfigurationRepresentation.setClaimsSupported(DEFAULT_CLAIMS_SUPPORTED);
        oIDCConfigurationRepresentation.setClaimTypesSupported(DEFAULT_CLAIM_TYPES_SUPPORTED);
        oIDCConfigurationRepresentation.setClaimsParameterSupported(false);
        List<ClientScopeModel> clientScopes = realm.getClientScopes();
        LinkedList linkedList = new LinkedList();
        for (ClientScopeModel clientScopeModel : clientScopes) {
            if ("openid-connect".equals(clientScopeModel.getProtocol())) {
                linkedList.add(clientScopeModel.getName());
            }
        }
        linkedList.add(0, OIDCIdentityProvider.SCOPE_OPENID);
        oIDCConfigurationRepresentation.setScopesSupported(linkedList);
        oIDCConfigurationRepresentation.setRequestParameterSupported(true);
        oIDCConfigurationRepresentation.setRequestUriParameterSupported(true);
        oIDCConfigurationRepresentation.setRequireRequestUriRegistration(true);
        oIDCConfigurationRepresentation.setCodeChallengeMethodsSupported(DEFAULT_CODE_CHALLENGE_METHODS_SUPPORTED);
        oIDCConfigurationRepresentation.setTlsClientCertificateBoundAccessTokens(true);
        return oIDCConfigurationRepresentation;
    }

    public void close() {
    }

    private static List<String> list(String... strArr) {
        return Arrays.asList(strArr);
    }

    private List<String> getClientAuthMethodsSupported() {
        LinkedList linkedList = new LinkedList();
        Iterator it = this.session.getKeycloakSessionFactory().getProviderFactories(ClientAuthenticator.class).iterator();
        while (it.hasNext()) {
            linkedList.addAll(((ProviderFactory) it.next()).getProtocolAuthenticatorMethods("openid-connect"));
        }
        return linkedList;
    }

    private List<String> getSupportedSigningAlgorithms(boolean z) {
        LinkedList linkedList = new LinkedList();
        Iterator it = this.session.getKeycloakSessionFactory().getProviderFactories(SignatureProvider.class).iterator();
        while (it.hasNext()) {
            linkedList.add(((ProviderFactory) it.next()).getId());
        }
        if (z) {
            linkedList.add("none");
        }
        return linkedList;
    }

    private List<String> getSupportedClientSigningAlgorithms(boolean z) {
        LinkedList linkedList = new LinkedList();
        Iterator it = this.session.getKeycloakSessionFactory().getProviderFactories(ClientSignatureVerifierProvider.class).iterator();
        while (it.hasNext()) {
            linkedList.add(((ProviderFactory) it.next()).getId());
        }
        if (z) {
            linkedList.add("none");
        }
        return linkedList;
    }

    private List<String> getSupportedIdTokenEncryptionAlg(boolean z) {
        LinkedList linkedList = new LinkedList();
        Iterator it = this.session.getKeycloakSessionFactory().getProviderFactories(CekManagementProvider.class).iterator();
        while (it.hasNext()) {
            linkedList.add(((ProviderFactory) it.next()).getId());
        }
        if (z) {
            linkedList.add("none");
        }
        return linkedList;
    }

    private List<String> getSupportedIdTokenEncryptionEnc(boolean z) {
        LinkedList linkedList = new LinkedList();
        Iterator it = this.session.getKeycloakSessionFactory().getProviderFactories(ContentEncryptionProvider.class).iterator();
        while (it.hasNext()) {
            linkedList.add(((ProviderFactory) it.next()).getId());
        }
        if (z) {
            linkedList.add("none");
        }
        return linkedList;
    }
}
