package org.keycloak.testsuite.oauth;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.TextNode;
import java.io.OutputStream;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.ws.rs.core.UriBuilder;
import org.apache.commons.io.output.ByteArrayOutputStream;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.message.BasicNameValuePair;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientScopesResource;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.OAuth2ErrorRepresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.oidc.TokenMetadataRepresentation;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.oidc.AbstractOIDCScopeTest;
import org.keycloak.testsuite.oidc.OIDCScopeTest;
import org.keycloak.testsuite.util.KeycloakModelUtils;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.TokenSignatureUtil;
import org.keycloak.util.BasicAuthHelper;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/testsuite/oauth/TokenIntrospectionTest.class */
public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest {

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Override // org.keycloak.testsuite.AbstractTestRealmKeycloakTest
    public void configureTestRealm(RealmRepresentation realmRepresentation) {
        ClientRepresentation createClient = KeycloakModelUtils.createClient(realmRepresentation, "confidential-cli");
        createClient.setSecret("secret1");
        createClient.setServiceAccountsEnabled(Boolean.TRUE);
        KeycloakModelUtils.createClient(realmRepresentation, "public-cli").setPublicClient(Boolean.TRUE);
        ClientRepresentation createClient2 = KeycloakModelUtils.createClient(realmRepresentation, "saml-client");
        createClient2.setSecret("secret2");
        createClient2.setServiceAccountsEnabled(Boolean.TRUE);
        createClient2.setProtocol("saml");
        UserRepresentation userRepresentation = new UserRepresentation();
        userRepresentation.setUsername("no-permissions");
        CredentialRepresentation credentialRepresentation = new CredentialRepresentation();
        credentialRepresentation.setType("password");
        credentialRepresentation.setValue("password");
        ArrayList arrayList = new ArrayList();
        arrayList.add(credentialRepresentation);
        userRepresentation.setCredentials(arrayList);
        userRepresentation.setEnabled(Boolean.TRUE);
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add("user");
        userRepresentation.setRealmRoles(arrayList2);
        realmRepresentation.getUsers().add(userRepresentation);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void afterAbstractKeycloakTestRealmImport() {
        ClientScopesResource clientScopes = testRealm().clientScopes();
        for (ClientScopeRepresentation clientScopeRepresentation : clientScopes.findAll()) {
            List<ProtocolMapperRepresentation> protocolMappers = clientScopeRepresentation.getProtocolMappers();
            if (protocolMappers != null) {
                for (ProtocolMapperRepresentation protocolMapperRepresentation : protocolMappers) {
                    if ("username".equals(protocolMapperRepresentation.getName())) {
                        Map config = protocolMapperRepresentation.getConfig();
                        config.put("user.attribute", "username");
                        config.put("claim.name", "preferred_username12");
                        clientScopes.get(clientScopeRepresentation.getId()).getProtocolMappers().update(protocolMapperRepresentation.getId(), protocolMapperRepresentation);
                    }
                }
            }
        }
    }

    @Test
    public void testConfidentialClientCredentialsBasicAuthentication() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String introspectAccessTokenWithClientCredential = this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getAccessToken());
        ObjectMapper objectMapper = new ObjectMapper();
        JsonNode readTree = objectMapper.readTree(introspectAccessTokenWithClientCredential);
        Assert.assertTrue(readTree.get("active").asBoolean());
        Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, readTree.get("username").asText());
        Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, readTree.get("client_id").asText());
        Assert.assertTrue(readTree.has("exp"));
        Assert.assertTrue(readTree.has("iat"));
        Assert.assertFalse(readTree.has("nbf"));
        Assert.assertTrue(readTree.has("sub"));
        Assert.assertTrue(readTree.has("aud"));
        Assert.assertTrue(readTree.has("iss"));
        Assert.assertTrue(readTree.has("jti"));
        TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) objectMapper.readValue(introspectAccessTokenWithClientCredential, TokenMetadataRepresentation.class);
        Assert.assertTrue(tokenMetadataRepresentation.isActive());
        Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, tokenMetadataRepresentation.getUserName());
        Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, tokenMetadataRepresentation.getClientId());
        Assert.assertEquals(readTree.get("exp").asInt(), tokenMetadataRepresentation.getExpiration());
        Assert.assertEquals(readTree.get("iat").asInt(), tokenMetadataRepresentation.getIssuedAt());
        Assert.assertEquals(readTree.get("nbf"), tokenMetadataRepresentation.getNbf());
        Assert.assertEquals(readTree.get("sub").asText(), tokenMetadataRepresentation.getSubject());
        ArrayList arrayList = new ArrayList();
        Assert.assertTrue(readTree.get("aud") instanceof TextNode);
        arrayList.add(readTree.get("aud").asText());
        org.keycloak.testsuite.Assert.assertNames(arrayList, tokenMetadataRepresentation.getAudience());
        Assert.assertEquals(readTree.get("iss").asText(), tokenMetadataRepresentation.getIssuer());
        Assert.assertEquals(readTree.get("jti").asText(), tokenMetadataRepresentation.getId());
    }

    @Test
    public void testInvalidClientCredentials() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        OAuth2ErrorRepresentation oAuth2ErrorRepresentation = (OAuth2ErrorRepresentation) JsonSerialization.readValue(this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "bad_credential", this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getAccessToken()), OAuth2ErrorRepresentation.class);
        org.keycloak.testsuite.Assert.assertEquals("Authentication failed.", oAuth2ErrorRepresentation.getErrorDescription());
        org.keycloak.testsuite.Assert.assertEquals("invalid_request", oAuth2ErrorRepresentation.getError());
    }

    @Test
    public void testIntrospectRefreshToken() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String str = (String) this.oauth.getCurrentQuery().get("code");
        String sessionId = this.events.expectLogin().assertEvent().getSessionId();
        String introspectRefreshTokenWithClientCredential = this.oauth.introspectRefreshTokenWithClientCredential("confidential-cli", "secret1", this.oauth.doAccessTokenRequest(str, "password").getRefreshToken());
        ObjectMapper objectMapper = new ObjectMapper();
        JsonNode readTree = objectMapper.readTree(introspectRefreshTokenWithClientCredential);
        Assert.assertTrue(readTree.get("active").asBoolean());
        Assert.assertEquals(sessionId, readTree.get("session_state").asText());
        Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, readTree.get("client_id").asText());
        Assert.assertTrue(readTree.has("exp"));
        Assert.assertTrue(readTree.has("iat"));
        Assert.assertFalse(readTree.has("nbf"));
        Assert.assertTrue(readTree.has("sub"));
        Assert.assertTrue(readTree.has("aud"));
        Assert.assertTrue(readTree.has("iss"));
        Assert.assertTrue(readTree.has("jti"));
        Assert.assertTrue(readTree.has("typ"));
        TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) objectMapper.readValue(introspectRefreshTokenWithClientCredential, TokenMetadataRepresentation.class);
        Assert.assertTrue(tokenMetadataRepresentation.isActive());
        Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, tokenMetadataRepresentation.getClientId());
        Assert.assertEquals(readTree.get("session_state").asText(), tokenMetadataRepresentation.getSessionState());
        Assert.assertEquals(readTree.get("exp").asInt(), tokenMetadataRepresentation.getExpiration());
        Assert.assertEquals(readTree.get("iat").asInt(), tokenMetadataRepresentation.getIssuedAt());
        Assert.assertEquals(readTree.get("nbf"), tokenMetadataRepresentation.getNbf());
        Assert.assertEquals(readTree.get("iss").asText(), tokenMetadataRepresentation.getIssuer());
        Assert.assertEquals(readTree.get("jti").asText(), tokenMetadataRepresentation.getId());
        Assert.assertEquals(readTree.get("typ").asText(), "Refresh");
    }

    @Test
    public void testIntrospectRefreshTokenAfterUserSessionLogoutAndLoginAgain() throws Exception {
        String refreshToken = loginAndForceNewLoginPage().getRefreshToken();
        this.oauth.doLogout(refreshToken, "password");
        this.events.clear();
        setTimeOffset(2);
        this.oauth.fillLoginForm(AssertEvents.DEFAULT_USERNAME, "password");
        this.events.expectLogin().assertEvent();
        org.keycloak.testsuite.Assert.assertFalse(this.loginPage.isCurrent());
        String introspectRefreshTokenWithClientCredential = this.oauth.introspectRefreshTokenWithClientCredential("confidential-cli", "secret1", this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getRefreshToken());
        ObjectMapper objectMapper = new ObjectMapper();
        Assert.assertTrue(objectMapper.readTree(introspectRefreshTokenWithClientCredential).get("active").asBoolean());
        Assert.assertFalse(objectMapper.readTree(this.oauth.introspectRefreshTokenWithClientCredential("confidential-cli", "secret1", refreshToken)).get("active").asBoolean());
    }

    @Test
    public void testPublicClientCredentialsNotAllowed() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        OAuth2ErrorRepresentation oAuth2ErrorRepresentation = (OAuth2ErrorRepresentation) JsonSerialization.readValue(this.oauth.introspectAccessTokenWithClientCredential("public-cli", "it_doesnt_matter", this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getAccessToken()), OAuth2ErrorRepresentation.class);
        org.keycloak.testsuite.Assert.assertEquals("Client not allowed.", oAuth2ErrorRepresentation.getErrorDescription());
        org.keycloak.testsuite.Assert.assertEquals("invalid_request", oAuth2ErrorRepresentation.getError());
    }

    @Test
    public void testInactiveAccessToken() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String introspectAccessTokenWithClientCredential = this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGSjg2R2NGM2pUYk5MT2NvNE52WmtVQ0lVbWZZQ3FvcXRPUWVNZmJoTmxFIn0.eyJqdGkiOiI5NjgxZTRlOC01NzhlLTQ3M2ItOTIwNC0yZWE5OTdhYzMwMTgiLCJleHAiOjE0NzYxMDY4NDksIm5iZiI6MCwiaWF0IjoxNDc2MTA2NTQ5LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvdGVzdCIsImF1ZCI6InRlc3QtYXBwIiwic3ViIjoiZWYyYzk0NjAtZDRkYy00OTk5LWJlYmUtZWVmYWVkNmJmMGU3IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdC1hcHAiLCJhdXRoX3RpbWUiOjE0NzYxMDY1NDksInNlc3Npb25fc3RhdGUiOiI1OGY4M2MzMi03MDhkLTQzNjktODhhNC05YjI5OGRjMDY5NzgiLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI2NTYyOTVkZC1kZWNkLTQyZDAtYWJmYy0zZGJjZjJlMDE3NzIiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MTgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsidGVzdC1hcHAiOnsicm9sZXMiOlsiY3VzdG9tZXItdXNlciJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiJUb20gQnJhZHkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0LXVzZXJAbG9jYWxob3N0IiwiZ2l2ZW5fbmFtZSI6IlRvbSIsImZhbWlseV9uYW1lIjoiQnJhZHkiLCJlbWFpbCI6InRlc3QtdXNlckBsb2NhbGhvc3QifQ.LYU7opqZsc9e-ZmdsIhcecjHL3kQkpP13VpwO4MHMqEVNeJsZI1WOkTM5HGVAihcPfQazhaYvcik0gFTF_6ZcKzDqanjx80TGhSIrV5FoCeUrbp7w_66VKDH7ImPc8T2kICQGHh2d521WFBnvXNifw7P6AR1rGg4qrUljHdf_KU");
        ObjectMapper objectMapper = new ObjectMapper();
        Assert.assertFalse(objectMapper.readTree(introspectAccessTokenWithClientCredential).get("active").asBoolean());
        TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) objectMapper.readValue(introspectAccessTokenWithClientCredential, TokenMetadataRepresentation.class);
        Assert.assertFalse(tokenMetadataRepresentation.isActive());
        Assert.assertNull(tokenMetadataRepresentation.getUserName());
        Assert.assertNull(tokenMetadataRepresentation.getClientId());
        Assert.assertNull(tokenMetadataRepresentation.getSubject());
    }

    @Test
    public void testUnsupportedToken() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String introspectAccessTokenWithClientCredential = this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", "unsupported");
        ObjectMapper objectMapper = new ObjectMapper();
        Assert.assertFalse(objectMapper.readTree(introspectAccessTokenWithClientCredential).get("active").asBoolean());
        TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) objectMapper.readValue(introspectAccessTokenWithClientCredential, TokenMetadataRepresentation.class);
        Assert.assertFalse(tokenMetadataRepresentation.isActive());
        Assert.assertNull(tokenMetadataRepresentation.getUserName());
        Assert.assertNull(tokenMetadataRepresentation.getClientId());
        Assert.assertNull(tokenMetadataRepresentation.getSubject());
    }

    @Test
    public void testIntrospectAccessToken() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String str = (String) this.oauth.getCurrentQuery().get("code");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) JsonSerialization.readValue(this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", this.oauth.doAccessTokenRequest(str, "password").getAccessToken()), TokenMetadataRepresentation.class);
        Assert.assertTrue(tokenMetadataRepresentation.isActive());
        Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, tokenMetadataRepresentation.getUserName());
        Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, tokenMetadataRepresentation.getClientId());
        Assert.assertEquals(assertEvent.getUserId(), tokenMetadataRepresentation.getSubject());
        AbstractOIDCScopeTest.assertScopes("openid email profile", tokenMetadataRepresentation.getScope());
    }

    @Test
    public void testIntrospectAccessTokenES256() throws Exception {
        testIntrospectAccessToken("ES256");
    }

    @Test
    public void testIntrospectAccessTokenPS256() throws Exception {
        testIntrospectAccessToken("PS256");
    }

    private void testIntrospectAccessToken(String str) throws Exception {
        try {
            TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID), str);
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            String str2 = (String) this.oauth.getCurrentQuery().get("code");
            EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str2, "password");
            Assert.assertEquals(str, new JWSInput(doAccessTokenRequest.getAccessToken()).getHeader().getAlgorithm().name());
            TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) JsonSerialization.readValue(this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", doAccessTokenRequest.getAccessToken()), TokenMetadataRepresentation.class);
            Assert.assertTrue(tokenMetadataRepresentation.isActive());
            Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, tokenMetadataRepresentation.getUserName());
            Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, tokenMetadataRepresentation.getClientId());
            Assert.assertEquals(assertEvent.getUserId(), tokenMetadataRepresentation.getSubject());
            OIDCScopeTest.assertScopes("openid email profile", tokenMetadataRepresentation.getScope());
            TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID), "RS256");
        } catch (Throwable th) {
            TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID), "RS256");
            throw th;
        }
    }

    @Test
    public void testIntrospectAccessTokenSessionInvalid() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        this.oauth.doLogout(doAccessTokenRequest.getRefreshToken(), "password");
        TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) JsonSerialization.readValue(this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", doAccessTokenRequest.getAccessToken()), TokenMetadataRepresentation.class);
        Assert.assertFalse(tokenMetadataRepresentation.isActive());
        Assert.assertNull(tokenMetadataRepresentation.getUserName());
        Assert.assertNull(tokenMetadataRepresentation.getClientId());
        Assert.assertNull(tokenMetadataRepresentation.getSubject());
    }

    @Test
    public void testIntrospectAccessTokenOfflineAccess() throws Exception {
        this.oauth.scope("offline_access");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        setTimeOffset(86400);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
        TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) JsonSerialization.readValue(this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", doRefreshTokenRequest.getAccessToken()), TokenMetadataRepresentation.class);
        Assert.assertTrue(tokenMetadataRepresentation.isActive());
        Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, tokenMetadataRepresentation.getUserName());
        Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, tokenMetadataRepresentation.getClientId());
        this.testingClient.testing().removeExpired("test");
        TokenMetadataRepresentation tokenMetadataRepresentation2 = (TokenMetadataRepresentation) JsonSerialization.readValue(this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), "password").getAccessToken()), TokenMetadataRepresentation.class);
        Assert.assertTrue(tokenMetadataRepresentation2.isActive());
        Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, tokenMetadataRepresentation2.getUserName());
        Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, tokenMetadataRepresentation2.getClientId());
    }

    @Test
    public void testIntrospectDoesntExtendTokenLifespan() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getRefreshToken(), "password");
        setTimeOffset(1200);
        TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) JsonSerialization.readValue(this.oauth.introspectRefreshTokenWithClientCredential("confidential-cli", "secret1", doRefreshTokenRequest.getRefreshToken()), TokenMetadataRepresentation.class);
        Assert.assertTrue(tokenMetadataRepresentation.isActive());
        Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, tokenMetadataRepresentation.getUserName());
        Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, tokenMetadataRepresentation.getClientId());
        setTimeOffset(2400);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest2 = this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), "password");
        Assert.assertEquals(400L, doRefreshTokenRequest2.getStatusCode());
        Assert.assertEquals("Token is not active", doRefreshTokenRequest2.getErrorDescription());
    }

    @Test
    public void testIntrospectAccessTokenUserDisabled() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        UserRepresentation userRepresentation = new UserRepresentation();
        try {
            userRepresentation.setEnabled(false);
            this.adminClient.realm(this.oauth.getRealm()).users().get(assertEvent.getUserId()).update(userRepresentation);
            TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) JsonSerialization.readValue(this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", doAccessTokenRequest.getAccessToken()), TokenMetadataRepresentation.class);
            Assert.assertFalse(tokenMetadataRepresentation.isActive());
            Assert.assertNull(tokenMetadataRepresentation.getUserName());
            Assert.assertNull(tokenMetadataRepresentation.getClientId());
            Assert.assertNull(tokenMetadataRepresentation.getSubject());
            userRepresentation.setEnabled(true);
            this.adminClient.realm(this.oauth.getRealm()).users().get(assertEvent.getUserId()).update(userRepresentation);
        } catch (Throwable th) {
            userRepresentation.setEnabled(true);
            this.adminClient.realm(this.oauth.getRealm()).users().get(assertEvent.getUserId()).update(userRepresentation);
            throw th;
        }
    }

    @Test
    public void testIntrospectAccessTokenExpired() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        setTimeOffset(this.adminClient.realm(this.oauth.getRealm()).toRepresentation().getAccessTokenLifespan().intValue() + 1);
        TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) JsonSerialization.readValue(this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", doAccessTokenRequest.getAccessToken()), TokenMetadataRepresentation.class);
        Assert.assertFalse(tokenMetadataRepresentation.isActive());
        Assert.assertNull(tokenMetadataRepresentation.getUserName());
        Assert.assertNull(tokenMetadataRepresentation.getClientId());
        Assert.assertNull(tokenMetadataRepresentation.getSubject());
    }

    @Test
    public void testIntrospectWithSamlClient() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String str = (String) this.oauth.getCurrentQuery().get("code");
        this.events.expectLogin().assertEvent();
        TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) JsonSerialization.readValue(this.oauth.introspectAccessTokenWithClientCredential("saml-client", "secret2", this.oauth.doAccessTokenRequest(str, "password").getAccessToken()), TokenMetadataRepresentation.class);
        Assert.assertEquals("invalid_client", tokenMetadataRepresentation.getOtherClaims().get("error"));
        Assert.assertNull(tokenMetadataRepresentation.getSubject());
    }

    private OAuthClient.AccessTokenResponse loginAndForceNewLoginPage() {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String str = (String) this.oauth.getCurrentQuery().get("code");
        this.oauth.clientSessionState("client-session");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str, "password");
        setTimeOffset(1);
        this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).queryParam("prompt", new Object[]{"login"}).build(new Object[0]).toString());
        this.loginPage.assertCurrent();
        return doAccessTokenRequest;
    }

    @Test
    public void testIntrospectionRequestParamsMoreThanOnce() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        OAuth2ErrorRepresentation oAuth2ErrorRepresentation = (OAuth2ErrorRepresentation) JsonSerialization.readValue(introspectAccessTokenWithDuplicateParams("confidential-cli", "secret1", this.oauth.doRefreshTokenRequest(this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getRefreshToken(), "password").getAccessToken()), OAuth2ErrorRepresentation.class);
        Assert.assertEquals("duplicated parameter", oAuth2ErrorRepresentation.getErrorDescription());
        Assert.assertEquals("invalid_request", oAuth2ErrorRepresentation.getError());
    }

    @Test
    public void testIntrospectRevokeRefreshToken() throws Exception {
        RealmRepresentation representation = this.adminClient.realm(this.oauth.getRealm()).toRepresentation();
        representation.setRevokeRefreshToken(true);
        this.adminClient.realm(this.oauth.getRealm()).update(representation);
        try {
            Assert.assertFalse(introspectRevokedToken().get("active").asBoolean());
        } finally {
            representation.setRevokeRefreshToken(Boolean.valueOf(false));
            this.adminClient.realm(this.oauth.getRealm()).update(representation);
        }
    }

    @Test
    public void testIntrospectRevokeOfflineToken() throws Exception {
        RealmRepresentation representation = this.adminClient.realm(this.oauth.getRealm()).toRepresentation();
        representation.setRevokeRefreshToken(true);
        this.adminClient.realm(this.oauth.getRealm()).update(representation);
        try {
            this.oauth.scope("offline_access");
            Assert.assertFalse(introspectRevokedToken().get("active").asBoolean());
        } finally {
            representation.setRevokeRefreshToken(Boolean.valueOf(false));
            this.adminClient.realm(this.oauth.getRealm()).update(representation);
        }
    }

    @Test
    public void testIntrospectRefreshTokenAfterRefreshTokenRequest() throws Exception {
        RealmRepresentation representation = this.adminClient.realm(this.oauth.getRealm()).toRepresentation();
        representation.setRevokeRefreshToken(true);
        representation.setRefreshTokenMaxReuse(1);
        this.adminClient.realm(this.oauth.getRealm()).update(representation);
        try {
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            String refreshToken = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getRefreshToken();
            setTimeOffset(1);
            this.oauth.doRefreshTokenRequest(refreshToken, "password");
            String refreshToken2 = this.oauth.doRefreshTokenRequest(refreshToken, "password").getRefreshToken();
            String introspectRefreshTokenWithClientCredential = this.oauth.introspectRefreshTokenWithClientCredential("confidential-cli", "secret1", refreshToken2);
            ObjectMapper objectMapper = new ObjectMapper();
            Assert.assertTrue(objectMapper.readTree(introspectRefreshTokenWithClientCredential).get("active").asBoolean());
            this.oauth.doRefreshTokenRequest(refreshToken2, "password");
            Assert.assertFalse(objectMapper.readTree(this.oauth.introspectRefreshTokenWithClientCredential("confidential-cli", "secret1", refreshToken)).get("active").asBoolean());
            representation.setRevokeRefreshToken(false);
            representation.setRefreshTokenMaxReuse(0);
            this.adminClient.realm(this.oauth.getRealm()).update(representation);
        } catch (Throwable th) {
            representation.setRevokeRefreshToken(false);
            representation.setRefreshTokenMaxReuse(0);
            this.adminClient.realm(this.oauth.getRealm()).update(representation);
            throw th;
        }
    }

    private String introspectAccessTokenWithDuplicateParams(String str, String str2, String str3) {
        HttpPost httpPost = new HttpPost(this.oauth.getTokenIntrospectionUrl());
        httpPost.setHeader("Authorization", BasicAuthHelper.createHeader(str, str2));
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("token", str3));
        linkedList.add(new BasicNameValuePair("token", "foo"));
        linkedList.add(new BasicNameValuePair("token_type_hint", "access_token"));
        try {
            httpPost.setEntity(new UrlEncodedFormEntity(linkedList, "UTF-8"));
            try {
                CloseableHttpResponse execute = HttpClientBuilder.create().build().execute(httpPost);
                Throwable th = null;
                try {
                    try {
                        OutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                        execute.getEntity().writeTo(byteArrayOutputStream);
                        String str4 = new String(byteArrayOutputStream.toByteArray());
                        if (execute != null) {
                            if (0 != 0) {
                                try {
                                    execute.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                execute.close();
                            }
                        }
                        return str4;
                    } finally {
                    }
                } finally {
                }
            } catch (Exception e) {
                throw new RuntimeException("Failed to retrieve access token", e);
            }
        } catch (UnsupportedEncodingException e2) {
            throw new RuntimeException(e2);
        }
    }

    private JsonNode introspectRevokedToken() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String refreshToken = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getRefreshToken();
        this.oauth.doRefreshTokenRequest(refreshToken, "password");
        return new ObjectMapper().readTree(this.oauth.introspectRefreshTokenWithClientCredential("confidential-cli", "secret1", refreshToken));
    }
}
