package org.keycloak.testsuite.oidc;

import com.google.common.collect.ImmutableMap;
import java.io.IOException;
import java.lang.invoke.SerializedLambda;
import java.security.PublicKey;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.jboss.arquillian.graphene.page.Page;
import org.jboss.resteasy.client.jaxrs.ResteasyClient;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.common.Profile;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.common.util.Time;
import org.keycloak.common.util.UriUtils;
import org.keycloak.crypto.KeyUse;
import org.keycloak.events.EventType;
import org.keycloak.jose.jwe.JWE;
import org.keycloak.jose.jwe.JWEException;
import org.keycloak.jose.jwe.JWEHeader;
import org.keycloak.jose.jwk.JSONWebKeySet;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.keys.KeyProvider;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.mappers.ClaimsParameterTokenMapper;
import org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.UserInfo;
import org.keycloak.representations.idm.CertificateRepresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.ComponentRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.services.util.CertificateInfoHelper;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.arquillian.annotation.DisableFeature;
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
import org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource;
import org.keycloak.testsuite.oauth.BackchannelLogoutTest;
import org.keycloak.testsuite.pages.AccountUpdateProfilePage;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.ErrorPage;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.pages.OAuthGrantPage;
import org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.KeyUtils;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.UserInfoClientUtil;
import org.keycloak.util.JWKSUtils;
import org.keycloak.util.JsonSerialization;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
@DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
/* loaded from: input_file:org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.class */
public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest {

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Page
    protected AppPage appPage;

    @Page
    protected LoginPage loginPage;

    @Page
    protected AccountUpdateProfilePage profilePage;

    @Page
    protected OAuthGrantPage grantPage;

    @Page
    protected ErrorPage errorPage;

    @Override // org.keycloak.testsuite.AbstractTestRealmKeycloakTest
    public void configureTestRealm(RealmRepresentation realmRepresentation) {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void afterAbstractKeycloakTestRealmImport() {
        Throwable th;
        String id = testRealm().toRepresentation().getId();
        ComponentRepresentation componentRepresentation = new ComponentRepresentation();
        componentRepresentation.setName("enc-generated");
        componentRepresentation.setProviderType(KeyProvider.class.getName());
        componentRepresentation.setProviderId("rsa-generated");
        componentRepresentation.setParentId(id);
        componentRepresentation.setConfig(new MultivaluedHashMap());
        componentRepresentation.getConfig().putSingle("priority", "150");
        componentRepresentation.getConfig().putSingle("keyUse", KeyUse.ENC.getSpecName());
        componentRepresentation.getConfig().putSingle("algorithm", "RS256");
        Response add = testRealm().components().add(componentRepresentation);
        Throwable th2 = null;
        try {
            try {
                Assert.assertEquals(201L, add.getStatus());
                if (add != null) {
                    if (0 != 0) {
                        try {
                            add.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    } else {
                        add.close();
                    }
                }
                ComponentRepresentation componentRepresentation2 = new ComponentRepresentation();
                componentRepresentation2.setName("enc-generated");
                componentRepresentation2.setProviderType(KeyProvider.class.getName());
                componentRepresentation2.setProviderId("rsa-generated");
                componentRepresentation2.setParentId(id);
                componentRepresentation2.setConfig(new MultivaluedHashMap());
                componentRepresentation2.getConfig().putSingle("priority", "200");
                componentRepresentation2.getConfig().putSingle("keyUse", KeyUse.ENC.getSpecName());
                componentRepresentation2.getConfig().putSingle("algorithm", "PS256");
                add = testRealm().components().add(componentRepresentation2);
                th = null;
            } catch (Throwable th4) {
                th2 = th4;
                throw th4;
            }
            try {
                try {
                    Assert.assertEquals(201L, add.getStatus());
                    if (add != null) {
                        if (0 == 0) {
                            add.close();
                            return;
                        }
                        try {
                            add.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    }
                } catch (Throwable th6) {
                    th = th6;
                    throw th6;
                }
            } finally {
            }
        } finally {
        }
    }

    @Before
    public void clientConfiguration() {
        ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).directAccessGrant(true).setRequestUris(TestApplicationResourceUrls.clientRequestUri());
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
        this.oauth.maxAge((String) null);
    }

    @Override // org.keycloak.testsuite.AbstractTestRealmKeycloakTest, org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add((RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class));
    }

    @Test
    public void testMaxAge1() {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        int authTime = sendTokenRequestAndGetIDToken(this.events.expectLogin().assertEvent()).getAuthTime();
        int currentTime = Time.currentTime();
        org.keycloak.testsuite.Assert.assertTrue(authTime <= currentTime && authTime + 3 >= currentTime);
        setTimeOffset(10);
        this.oauth.maxAge("1");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertTrue(authTime + 10 <= sendTokenRequestAndGetIDToken(this.events.expectLogin().assertEvent()).getAuthTime());
    }

    @Test
    public void testMaxAge10000() {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        int authTime = sendTokenRequestAndGetIDToken(this.events.expectLogin().assertEvent()).getAuthTime();
        int currentTime = Time.currentTime();
        org.keycloak.testsuite.Assert.assertTrue(authTime <= currentTime && authTime + 3 >= currentTime);
        setTimeOffset(10);
        this.oauth.maxAge("10000");
        this.oauth.openLoginForm();
        org.keycloak.testsuite.Assert.assertEquals(authTime, sendTokenRequestAndGetIDToken(this.events.expectLogin().assertEvent()).getAuthTime());
    }

    @Test
    public void promptNoneNotLogged() {
        this.driver.navigate().to(this.oauth.getLoginFormUrl() + "&prompt=none");
        Assert.assertFalse(this.loginPage.isCurrent());
        Assert.assertTrue(this.appPage.isCurrent());
        this.events.assertEmpty();
        OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth);
        org.keycloak.testsuite.Assert.assertNull(authorizationEndpointResponse.getCode());
        org.keycloak.testsuite.Assert.assertEquals("login_required", authorizationEndpointResponse.getError());
    }

    @Test
    public void promptNoneSuccess() {
        this.loginPage.open();
        this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        int authTime = sendTokenRequestAndGetIDToken(this.events.expectLogin().detail("username", AssertEvents.DEFAULT_USERNAME).assertEvent()).getAuthTime();
        setTimeOffset(10);
        this.driver.navigate().to(this.oauth.getLoginFormUrl() + "&prompt=none");
        org.keycloak.testsuite.Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        org.keycloak.testsuite.Assert.assertEquals(authTime, sendTokenRequestAndGetIDToken(this.events.expectLogin().removeDetail("username").assertEvent()).getAuthTime());
    }

    @Test
    @DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
    public void promptNoneConsentRequired() throws Exception {
        ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).consentRequired(true);
        try {
            this.profilePage.open();
            Assert.assertTrue(this.loginPage.isCurrent());
            this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
            this.profilePage.assertCurrent();
            this.events.expectLogin().client(BackchannelLogoutTest.ACCOUNT_CLIENT_NAME).removeDetail("redirect_uri").detail("username", AssertEvents.DEFAULT_USERNAME).assertEvent();
            this.driver.navigate().to(this.oauth.getLoginFormUrl() + "&prompt=none");
            Assert.assertTrue(this.appPage.isCurrent());
            org.keycloak.testsuite.Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
            OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth);
            org.keycloak.testsuite.Assert.assertNull(authorizationEndpointResponse.getCode());
            org.keycloak.testsuite.Assert.assertEquals("interaction_required", authorizationEndpointResponse.getError());
            this.driver.navigate().to(this.oauth.getLoginFormUrl());
            this.grantPage.assertCurrent();
            this.grantPage.accept();
            this.events.expectLogin().detail("username", AssertEvents.DEFAULT_USERNAME).detail("consent", "consent_granted").assertEvent();
            this.driver.navigate().to(this.oauth.getLoginFormUrl() + "&prompt=none");
            org.keycloak.testsuite.Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
            OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse2 = new OAuthClient.AuthorizationEndpointResponse(this.oauth);
            org.keycloak.testsuite.Assert.assertNotNull(authorizationEndpointResponse2.getCode());
            org.keycloak.testsuite.Assert.assertNull(authorizationEndpointResponse2.getError());
            this.events.expectLogin().detail("username", AssertEvents.DEFAULT_USERNAME).detail("consent", "persistent_consent").assertEvent();
        } finally {
            ApiUtil.findUserByUsernameId(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME).revokeConsent(AssertEvents.DEFAULT_CLIENT_ID);
            ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).consentRequired(false);
        }
    }

    @Test
    public void promptLogin() {
        this.loginPage.open();
        this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        IDToken sendTokenRequestAndGetIDToken = sendTokenRequestAndGetIDToken(this.events.expectLogin().detail("username", AssertEvents.DEFAULT_USERNAME).assertEvent());
        setTimeOffset(10);
        this.driver.navigate().to(this.oauth.getLoginFormUrl());
        org.keycloak.testsuite.Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        org.keycloak.testsuite.Assert.assertEquals(sendTokenRequestAndGetIDToken.getAuthTime(), sendTokenRequestAndGetIDToken(this.events.expectLogin().detail("username", AssertEvents.DEFAULT_USERNAME).assertEvent()).getAuthTime());
        setTimeOffset(20);
        this.driver.navigate().to(this.oauth.getLoginFormUrl() + "&prompt=login");
        this.loginPage.assertCurrent();
        this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        IDToken sendTokenRequestAndGetIDToken2 = sendTokenRequestAndGetIDToken(this.events.expectLogin().detail("username", AssertEvents.DEFAULT_USERNAME).assertEvent());
        org.keycloak.testsuite.Assert.assertTrue("Expected auth time to change. old auth time: " + sendTokenRequestAndGetIDToken.getAuthTime() + " , new auth time: " + sendTokenRequestAndGetIDToken2.getAuthTime(), sendTokenRequestAndGetIDToken.getAuthTime() + 20 <= sendTokenRequestAndGetIDToken2.getAuthTime());
        org.keycloak.testsuite.Assert.assertEquals(sendTokenRequestAndGetIDToken.getSessionState(), sendTokenRequestAndGetIDToken2.getSessionState());
    }

    @Test
    public void promptLoginDifferentUser() throws Exception {
        System.out.println(this.oauth.getLoginFormUrl());
        this.loginPage.open();
        this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        sendTokenRequestAndGetIDToken(this.events.expectLogin().detail("username", AssertEvents.DEFAULT_USERNAME).assertEvent());
        this.driver.navigate().to(this.oauth.getLoginFormUrl() + "&prompt=login");
        this.loginPage.assertCurrent();
        this.loginPage.login("john-doh@localhost", "password");
        this.errorPage.assertCurrent();
        org.keycloak.testsuite.Assert.assertTrue(this.errorPage.getError().startsWith("You are already authenticated as different user"));
    }

    @Test
    public void promptConsent() {
        ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).consentRequired(true);
        try {
            this.loginPage.open();
            this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
            this.grantPage.assertCurrent();
            this.grantPage.accept();
            this.appPage.assertCurrent();
            org.keycloak.testsuite.Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
            this.events.expectLogin().detail("username", AssertEvents.DEFAULT_USERNAME).detail("consent", "consent_granted").assertEvent();
            this.driver.navigate().to(this.oauth.getLoginFormUrl());
            org.keycloak.testsuite.Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
            this.events.expectLogin().detail("username", AssertEvents.DEFAULT_USERNAME).detail("consent", "persistent_consent").assertEvent();
            this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).queryParam("prompt", new Object[]{"consent"}).build(new Object[0]).toString());
            this.grantPage.assertCurrent();
            this.grantPage.accept();
            this.appPage.assertCurrent();
            org.keycloak.testsuite.Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
            this.events.expectLogin().detail("username", AssertEvents.DEFAULT_USERNAME).detail("consent", "consent_granted").assertEvent();
        } finally {
            ApiUtil.findUserByUsernameId(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME).revokeConsent(AssertEvents.DEFAULT_CLIENT_ID);
            ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).consentRequired(false);
        }
    }

    @Test
    public void nonSupportedParams() {
        this.driver.navigate().to(this.oauth.getLoginFormUrl() + "&display=popup&foo=foobar&claims_locales=fr");
        this.loginPage.assertCurrent();
        this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        org.keycloak.testsuite.Assert.assertNotNull(sendTokenRequestAndGetIDToken(this.events.expectLogin().detail("username", AssertEvents.DEFAULT_USERNAME).assertEvent()));
    }

    @Test
    public void requestObjectNotRequiredNotProvided() throws Exception {
        this.oauth.stateParamHardcoded("mystate2");
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired((String) null);
        findClientByClientId.update(representation);
        OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertNotNull(doLogin.getCode());
        org.keycloak.testsuite.Assert.assertEquals("mystate2", doLogin.getState());
        Assert.assertTrue(this.appPage.isCurrent());
    }

    @Test
    public void requestObjectNotRequiredProvidedInRequestParam() throws Exception {
        this.oauth.stateParamHardcoded("mystate2");
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired((String) null);
        findClientByClientId.update(representation);
        TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
        oidcClientEndpoints.setOIDCRequest("test", AssertEvents.DEFAULT_CLIENT_ID, this.oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString());
        this.oauth.request(oidcClientEndpoints.getOIDCRequest());
        OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertNotNull(doLogin.getCode());
        org.keycloak.testsuite.Assert.assertEquals("mystate2", doLogin.getState());
        Assert.assertTrue(this.appPage.isCurrent());
    }

    @Test
    public void requestObjectNotRequiredProvidedInRequestUriParam() throws Exception {
        this.oauth.stateParamHardcoded("mystate2");
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired((String) null);
        findClientByClientId.update(representation);
        this.testingClient.testApp().oidcClientEndpoints().setOIDCRequest("test", AssertEvents.DEFAULT_CLIENT_ID, this.oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString());
        this.oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
        OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertNotNull(doLogin.getCode());
        org.keycloak.testsuite.Assert.assertEquals("mystate2", doLogin.getState());
        Assert.assertTrue(this.appPage.isCurrent());
    }

    @Test
    public void requestObjectRequiredNotProvided() throws Exception {
        this.oauth.stateParamHardcoded("mystate2");
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired("request or request_uri");
        findClientByClientId.update(representation);
        this.oauth.openLoginForm();
        org.keycloak.testsuite.Assert.assertTrue(this.errorPage.isCurrent());
        Assert.assertEquals("Invalid Request", this.errorPage.getError());
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired((String) null);
        findClientByClientId.update(representation);
    }

    @Test
    public void requestObjectRequiredProvidedInRequestParam() throws Exception {
        this.oauth.stateParamHardcoded("mystate2");
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired("request or request_uri");
        findClientByClientId.update(representation);
        TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
        oidcClientEndpoints.setOIDCRequest("test", AssertEvents.DEFAULT_CLIENT_ID, this.oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString());
        this.oauth.request(oidcClientEndpoints.getOIDCRequest());
        OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertNotNull(doLogin.getCode());
        org.keycloak.testsuite.Assert.assertEquals("mystate2", doLogin.getState());
        Assert.assertTrue(this.appPage.isCurrent());
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired((String) null);
        findClientByClientId.update(representation);
    }

    @Test
    public void requestObjectRequiredProvidedInRequestUriParam() throws Exception {
        this.oauth.stateParamHardcoded("mystate2");
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired("request or request_uri");
        findClientByClientId.update(representation);
        this.testingClient.testApp().oidcClientEndpoints().setOIDCRequest("test", AssertEvents.DEFAULT_CLIENT_ID, this.oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString());
        this.oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
        OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertNotNull(doLogin.getCode());
        org.keycloak.testsuite.Assert.assertEquals("mystate2", doLogin.getState());
        Assert.assertTrue(this.appPage.isCurrent());
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired((String) null);
        findClientByClientId.update(representation);
    }

    @Test
    public void requestObjectRequiredAsRequestParamNotProvided() throws Exception {
        this.oauth.stateParamHardcoded("mystate2");
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired("request only");
        findClientByClientId.update(representation);
        this.oauth.openLoginForm();
        org.keycloak.testsuite.Assert.assertTrue(this.errorPage.isCurrent());
        Assert.assertEquals("Invalid Request", this.errorPage.getError());
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired((String) null);
        findClientByClientId.update(representation);
    }

    @Test
    public void requestObjectRequiredAsRequestParamProvidedInRequestParam() throws Exception {
        this.oauth.stateParamHardcoded("mystate2");
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired("request only");
        findClientByClientId.update(representation);
        TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
        oidcClientEndpoints.setOIDCRequest("test", AssertEvents.DEFAULT_CLIENT_ID, this.oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString());
        this.oauth.request(oidcClientEndpoints.getOIDCRequest());
        OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertNotNull(doLogin.getCode());
        org.keycloak.testsuite.Assert.assertEquals("mystate2", doLogin.getState());
        Assert.assertTrue(this.appPage.isCurrent());
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired((String) null);
        findClientByClientId.update(representation);
    }

    @Test
    public void requestObjectRequiredAsRequestParamProvidedInRequestUriParam() throws Exception {
        this.oauth.stateParamHardcoded("mystate2");
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired("request only");
        findClientByClientId.update(representation);
        this.testingClient.testApp().oidcClientEndpoints().setOIDCRequest("test", AssertEvents.DEFAULT_CLIENT_ID, this.oauth.getRedirectUri(), "10", Algorithm.none.toString());
        this.oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
        this.oauth.openLoginForm();
        org.keycloak.testsuite.Assert.assertTrue(this.errorPage.isCurrent());
        Assert.assertEquals("Invalid Request", this.errorPage.getError());
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired((String) null);
        findClientByClientId.update(representation);
    }

    @Test
    public void requestObjectRequiredAsRequestUriParamNotProvided() throws Exception {
        this.oauth.stateParamHardcoded("mystate2");
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired("request_uri only");
        findClientByClientId.update(representation);
        this.oauth.openLoginForm();
        org.keycloak.testsuite.Assert.assertTrue(this.errorPage.isCurrent());
        Assert.assertEquals("Invalid Request", this.errorPage.getError());
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired((String) null);
        findClientByClientId.update(representation);
    }

    @Test
    public void requestObjectRequiredAsRequestUriParamProvidedInRequestParam() throws Exception {
        this.oauth.stateParamHardcoded("mystate2");
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired("request_uri only");
        findClientByClientId.update(representation);
        TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
        oidcClientEndpoints.setOIDCRequest("test", AssertEvents.DEFAULT_CLIENT_ID, this.oauth.getRedirectUri(), "10", Algorithm.none.toString());
        this.oauth.request(oidcClientEndpoints.getOIDCRequest());
        this.oauth.openLoginForm();
        org.keycloak.testsuite.Assert.assertTrue(this.errorPage.isCurrent());
        Assert.assertEquals("Invalid Request", this.errorPage.getError());
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired((String) null);
        findClientByClientId.update(representation);
    }

    @Test
    public void requestObjectRequiredAsRequestUriParamProvidedInRequestUriParam() throws Exception {
        this.oauth.stateParamHardcoded("mystate2");
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired("request_uri only");
        findClientByClientId.update(representation);
        this.testingClient.testApp().oidcClientEndpoints().setOIDCRequest("test", AssertEvents.DEFAULT_CLIENT_ID, this.oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString());
        this.oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
        OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertNotNull(doLogin.getCode());
        org.keycloak.testsuite.Assert.assertEquals("mystate2", doLogin.getState());
        Assert.assertTrue(this.appPage.isCurrent());
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectRequired((String) null);
        findClientByClientId.update(representation);
    }

    @Test
    public void requestParamUnsigned() throws Exception {
        this.oauth.stateParamHardcoded("mystate2");
        String redirectUri = this.oauth.getRedirectUri();
        TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
        oidcClientEndpoints.setOIDCRequest("test", AssertEvents.DEFAULT_CLIENT_ID, "http://invalid", (String) null, Algorithm.none.toString());
        this.oauth.request(oidcClientEndpoints.getOIDCRequest());
        this.oauth.openLoginForm();
        org.keycloak.testsuite.Assert.assertTrue(this.errorPage.isCurrent());
        Assert.assertEquals("Invalid parameter: redirect_uri", this.errorPage.getError());
        this.oauth.redirectUri("http://invalid");
        oidcClientEndpoints.setOIDCRequest("test", AssertEvents.DEFAULT_CLIENT_ID, redirectUri, "10", "mystate2", Algorithm.none.toString());
        this.oauth.request(oidcClientEndpoints.getOIDCRequest());
        OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertNotNull(doLogin.getCode());
        org.keycloak.testsuite.Assert.assertEquals("mystate2", doLogin.getState());
        Assert.assertTrue(this.appPage.isCurrent());
    }

    @Test
    public void requestUriParamUnsigned() throws Exception {
        String redirectUri = this.oauth.getRedirectUri();
        TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
        oidcClientEndpoints.setOIDCRequest("test", AssertEvents.DEFAULT_CLIENT_ID, "http://invalid", (String) null, "mystate1", Algorithm.none.toString());
        this.oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
        this.oauth.openLoginForm();
        org.keycloak.testsuite.Assert.assertTrue(this.errorPage.isCurrent());
        Assert.assertEquals("Invalid parameter: redirect_uri", this.errorPage.getError());
        this.oauth.redirectUri("http://invalid");
        oidcClientEndpoints.setOIDCRequest("test", AssertEvents.DEFAULT_CLIENT_ID, redirectUri, "10", "mystate1", Algorithm.none.toString());
        OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertNotNull(doLogin.getCode());
        org.keycloak.testsuite.Assert.assertEquals("mystate1", doLogin.getState());
        Assert.assertTrue(this.appPage.isCurrent());
    }

    @Test
    public void requestUriParamWithAllowedRequestUris() throws Exception {
        this.testingClient.testApp().oidcClientEndpoints().setOIDCRequest("test", AssertEvents.DEFAULT_CLIENT_ID, this.oauth.getRedirectUri(), "10", "mystate1", Algorithm.none.toString());
        ClientManager.ClientManagerBuilder clientId = ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID);
        this.oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
        String clientRequestUri = TestApplicationResourceUrls.clientRequestUri();
        String substring = clientRequestUri.substring(UriUtils.getOrigin(clientRequestUri).length());
        clientId.setRequestUris(substring);
        this.oauth.openLoginForm();
        org.keycloak.testsuite.Assert.assertFalse(this.errorPage.isCurrent());
        this.loginPage.assertCurrent();
        clientId.setRequestUris(substring.replace("/get-oidc-request", "/*"));
        this.oauth.openLoginForm();
        org.keycloak.testsuite.Assert.assertFalse(this.errorPage.isCurrent());
        this.loginPage.assertCurrent();
        String replace = clientRequestUri.replace("/get-oidc-request", "/*");
        clientId.setRequestUris(replace);
        this.oauth.openLoginForm();
        org.keycloak.testsuite.Assert.assertFalse(this.errorPage.isCurrent());
        this.loginPage.assertCurrent();
        clientId.setRequestUris("*");
        this.oauth.openLoginForm();
        org.keycloak.testsuite.Assert.assertFalse(this.errorPage.isCurrent());
        this.loginPage.assertCurrent();
        clientId.setRequestUris("/foo", replace);
        this.oauth.openLoginForm();
        org.keycloak.testsuite.Assert.assertFalse(this.errorPage.isCurrent());
        this.loginPage.assertCurrent();
        clientId.setRequestUris("/foo", replace.replace("/*", "/foo"));
        this.oauth.openLoginForm();
        this.errorPage.assertCurrent();
        clientId.setRequestUris(new String[0]);
        this.oauth.openLoginForm();
        this.errorPage.assertCurrent();
        clientId.setRequestUris(TestApplicationResourceUrls.clientRequestUri());
    }

    @Test
    public void requestUriParamSigned() throws Exception {
        String redirectUri = this.oauth.getRedirectUri();
        TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectSignatureAlg(Algorithm.RS256);
        findClientByClientId.update(representation);
        oidcClientEndpoints.setOIDCRequest("test", AssertEvents.DEFAULT_CLIENT_ID, redirectUri, "10", Algorithm.none.toString());
        this.oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
        this.oauth.openLoginForm();
        org.keycloak.testsuite.Assert.assertTrue(this.errorPage.isCurrent());
        Assert.assertEquals("Invalid Request", this.errorPage.getError());
        String str = (String) oidcClientEndpoints.generateKeys("RS256").get("publicKey");
        oidcClientEndpoints.setOIDCRequest("test", AssertEvents.DEFAULT_CLIENT_ID, redirectUri, "10", "mystate3", Algorithm.RS256.toString());
        this.oauth.openLoginForm();
        org.keycloak.testsuite.Assert.assertTrue(this.errorPage.isCurrent());
        Assert.assertEquals("Invalid Request", this.errorPage.getError());
        ClientRepresentation representation2 = findClientByClientId.toRepresentation();
        CertificateRepresentation certificateRepresentation = new CertificateRepresentation();
        certificateRepresentation.setPublicKey(str);
        CertificateInfoHelper.updateClientRepresentationCertificateInfo(representation2, certificateRepresentation, "jwt.credential");
        findClientByClientId.update(representation2);
        setTimeOffset(20);
        OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertNotNull(doLogin.getCode());
        org.keycloak.testsuite.Assert.assertEquals("mystate3", doLogin.getState());
        Assert.assertTrue(this.appPage.isCurrent());
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setRequestObjectSignatureAlg((Algorithm) null);
        findClientByClientId.update(representation2);
    }

    private void requestUriParamSignedIn(Algorithm algorithm, Algorithm algorithm2) throws Exception {
        ClientResource clientResource = null;
        try {
            String redirectUri = this.oauth.getRedirectUri();
            TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
            ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            ClientRepresentation representation = findClientByClientId.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectSignatureAlg(algorithm);
            findClientByClientId.update(representation);
            if (Algorithm.none != algorithm2) {
                oidcClientEndpoints.generateKeys(algorithm2.name());
            }
            oidcClientEndpoints.setOIDCRequest("test", AssertEvents.DEFAULT_CLIENT_ID, redirectUri, "10", "mystate3", algorithm2.name());
            ClientResource findClientByClientId2 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            ClientRepresentation representation2 = findClientByClientId2.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setUseJwksUrl(true);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setJwksUrl(TestApplicationResourceUrls.clientJwksUri());
            findClientByClientId2.update(representation2);
            setTimeOffset(20);
            this.oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
            if (algorithm == null || algorithm == algorithm2) {
                OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
                org.keycloak.testsuite.Assert.assertNotNull(doLogin.getCode());
                org.keycloak.testsuite.Assert.assertEquals("mystate3", doLogin.getState());
                Assert.assertTrue(this.appPage.isCurrent());
            } else {
                this.oauth.openLoginForm();
                org.keycloak.testsuite.Assert.assertTrue(this.errorPage.isCurrent());
                Assert.assertEquals("Invalid Request", this.errorPage.getError());
            }
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setRequestObjectSignatureAlg((Algorithm) null);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setUseJwksUrl(false);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setJwksUrl((String) null);
            findClientByClientId2.update(representation2);
        } catch (Throwable th) {
            OIDCAdvancedConfigWrapper.fromClientRepresentation((ClientRepresentation) null).setRequestObjectSignatureAlg((Algorithm) null);
            OIDCAdvancedConfigWrapper.fromClientRepresentation((ClientRepresentation) null).setUseJwksUrl(false);
            OIDCAdvancedConfigWrapper.fromClientRepresentation((ClientRepresentation) null).setJwksUrl((String) null);
            clientResource.update((ClientRepresentation) null);
            throw th;
        }
    }

    @Test
    public void requestUriParamSignedExpectedES256ActualRS256() throws Exception {
        requestUriParamSignedIn(Algorithm.ES256, Algorithm.RS256);
    }

    @Test
    public void requestUriParamSignedExpectedNoneActualES256() throws Exception {
        requestUriParamSignedIn(Algorithm.none, Algorithm.ES256);
    }

    @Test
    public void requestUriParamSignedExpectedNoneActualNone() throws Exception {
        requestUriParamSignedIn(Algorithm.none, Algorithm.none);
    }

    @Test
    public void requestUriParamSignedExpectedES256ActualES256() throws Exception {
        requestUriParamSignedIn(Algorithm.ES256, Algorithm.ES256);
    }

    @Test
    public void requestUriParamSignedExpectedES384ActualES384() throws Exception {
        requestUriParamSignedIn(Algorithm.ES384, Algorithm.ES384);
    }

    @Test
    public void requestUriParamSignedExpectedES512ActualES512() throws Exception {
        requestUriParamSignedIn(Algorithm.ES512, Algorithm.ES512);
    }

    @Test
    public void requestUriParamSignedExpectedRS384ActualRS384() throws Exception {
        requestUriParamSignedIn(Algorithm.RS384, Algorithm.RS384);
    }

    @Test
    public void requestUriParamSignedExpectedRS512ActualRS512() throws Exception {
        requestUriParamSignedIn(Algorithm.RS512, Algorithm.RS512);
    }

    @Test
    public void requestUriParamSignedExpectedPS256ActualPS256() throws Exception {
        requestUriParamSignedIn(Algorithm.PS256, Algorithm.PS256);
    }

    @Test
    public void requestUriParamSignedExpectedPS384ActualPS384() throws Exception {
        requestUriParamSignedIn(Algorithm.PS384, Algorithm.PS384);
    }

    @Test
    public void requestUriParamSignedExpectedPS512ActualPS512() throws Exception {
        requestUriParamSignedIn(Algorithm.PS512, Algorithm.PS512);
    }

    @Test
    public void requestUriParamSignedExpectedAnyActualES256() throws Exception {
        requestUriParamSignedIn(null, Algorithm.ES256);
    }

    @Test
    public void loginHint() {
        this.driver.navigate().to(this.oauth.getLoginFormUrl() + "&login_hint=test-user%40localhost");
        this.loginPage.assertCurrent();
        org.keycloak.testsuite.Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, this.loginPage.getUsername());
        this.loginPage.login("password");
        org.keycloak.testsuite.Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        this.events.expectLogin().detail("username", AssertEvents.DEFAULT_USERNAME).assertEvent();
    }

    @Test
    public void processClaimsQueryParam() throws IOException {
        String writeValueAsString = JsonSerialization.writeValueAsString(ImmutableMap.of("id_token", ImmutableMap.of("test_claim", ImmutableMap.of("essential", true))));
        this.driver.navigate().to(this.oauth.getLoginFormUrl() + "&claims=" + writeValueAsString);
        this.loginPage.assertCurrent();
        this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        EventRepresentation assertEvent = this.events.expectLogin().detail("username", AssertEvents.DEFAULT_USERNAME).assertEvent();
        String sessionId = assertEvent.getSessionId();
        String clientId = assertEvent.getClientId();
        this.testingClient.server("test").run(keycloakSession -> {
            RealmModel realm = keycloakSession.getContext().getRealm();
            Assert.assertEquals(writeValueAsString, ((AuthenticatedClientSessionModel) keycloakSession.sessions().getUserSession(realm, sessionId).getAuthenticatedClientSessions().get(realm.getClientByClientId(clientId).getId())).getNote("claims"));
        });
    }

    @Test
    public void processClaimsRequestParam() throws Exception {
        ImmutableMap of = ImmutableMap.of("id_token", ImmutableMap.of("test_claim", ImmutableMap.of("essential", true)));
        String writeValueAsString = JsonSerialization.writeValueAsString(of);
        HashMap hashMap = new HashMap();
        hashMap.put("client_id", AssertEvents.DEFAULT_CLIENT_ID);
        hashMap.put("response_type", "code");
        hashMap.put("redirect_uri", this.oauth.getRedirectUri());
        hashMap.put("claims", of);
        this.driver.navigate().to(this.oauth.getLoginFormUrl() + "&request=" + new JWSBuilder().jsonContent(hashMap).none());
        this.loginPage.assertCurrent();
        this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
        org.keycloak.testsuite.Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        EventRepresentation assertEvent = this.events.expectLogin().detail("username", AssertEvents.DEFAULT_USERNAME).assertEvent();
        String sessionId = assertEvent.getSessionId();
        String clientId = assertEvent.getClientId();
        this.testingClient.server("test").run(keycloakSession -> {
            RealmModel realm = keycloakSession.getContext().getRealm();
            Assert.assertEquals(writeValueAsString, keycloakSession.sessions().getUserSession(realm, sessionId).getAuthenticatedClientSessionByClient(realm.getClientByClientId(clientId).getId()).getNote("claims"));
        });
    }

    @Test
    public void processClaimsRequestParamSupported() throws Exception {
        String str = null;
        try {
            Iterator it = this.adminClient.realm("test").clientScopes().findAll().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                ClientScopeRepresentation clientScopeRepresentation = (ClientScopeRepresentation) it.next();
                if (clientScopeRepresentation.getName().equals("profile")) {
                    str = clientScopeRepresentation.getId();
                    break;
                }
            }
            ApiUtil.findClientResourceByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID).removeDefaultClientScope(str);
            ApiUtil.findClientResourceByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID).getProtocolMappers().createMapper(ModelToRepresentation.toRepresentation(ClaimsParameterTokenMapper.createMapper("claimsParameterTokenMapper", true, false))).close();
            ImmutableMap of = ImmutableMap.of("id_token", ImmutableMap.of("email", ImmutableMap.of("essential", true), "preferred_username", ImmutableMap.of("essential", true), "family_name", ImmutableMap.of("essential", false), "given_name", ImmutableMap.of("wesentlich", true), "name", ImmutableMap.of("essential", true)), "userinfo", ImmutableMap.of("preferred_username", ImmutableMap.of("essential", "Ja"), "family_name", ImmutableMap.of("essential", true), "given_name", ImmutableMap.of("essential", true)));
            HashMap hashMap = new HashMap();
            hashMap.put("client_id", AssertEvents.DEFAULT_CLIENT_ID);
            hashMap.put("response_type", "code");
            hashMap.put("redirect_uri", this.oauth.getRedirectUri());
            hashMap.put("claims", of);
            hashMap.put("scope", "openid");
            this.oauth = this.oauth.request(new JWSBuilder().jsonContent(hashMap).none());
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            OAuthClient.AccessTokenResponse sendTokenRequestAndGetResponse = sendTokenRequestAndGetResponse(this.events.expectLogin().assertEvent());
            IDToken verifyIDToken = this.oauth.verifyIDToken(sendTokenRequestAndGetResponse.getIdToken());
            Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, verifyIDToken.getEmail());
            Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, verifyIDToken.getPreferredUsername());
            Assert.assertNull(verifyIDToken.getFamilyName());
            Assert.assertNull(verifyIDToken.getGivenName());
            Assert.assertEquals("Tom Brady", verifyIDToken.getName());
            ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
            try {
                UserInfo userInfo = (UserInfo) UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, sendTokenRequestAndGetResponse.getAccessToken()).readEntity(UserInfo.class);
                Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, userInfo.getEmail());
                Assert.assertNull(userInfo.getPreferredUsername());
                Assert.assertEquals("Brady", userInfo.getFamilyName());
                Assert.assertEquals("Tom", userInfo.getGivenName());
                Assert.assertNull(userInfo.getName());
                this.events.expect(EventType.USER_INFO_REQUEST).session(sendTokenRequestAndGetResponse.getSessionState()).client(AssertEvents.DEFAULT_CLIENT_ID).assertEvent();
                createResteasyClient.close();
                this.oauth.doLogout(sendTokenRequestAndGetResponse.getRefreshToken(), "password");
                this.events.expectLogout(sendTokenRequestAndGetResponse.getSessionState()).client(AssertEvents.DEFAULT_CLIENT_ID).clearDetails().assertEvent();
                ImmutableMap of2 = ImmutableMap.of("id_token", ImmutableMap.of("test_claim", ImmutableMap.of("essential", true)), "access_token", ImmutableMap.of("email", ImmutableMap.of("essential", true), "preferred_username", ImmutableMap.of("essential", true), "family_name", ImmutableMap.of("essential", true), "given_name", ImmutableMap.of("essential", true), "name", ImmutableMap.of("essential", true)));
                HashMap hashMap2 = new HashMap();
                hashMap2.put("client_id", AssertEvents.DEFAULT_CLIENT_ID);
                hashMap2.put("response_type", "code");
                hashMap2.put("redirect_uri", this.oauth.getRedirectUri());
                hashMap2.put("claims", of2);
                hashMap2.put("scope", "openid");
                this.oauth = this.oauth.request(new JWSBuilder().jsonContent(hashMap2).none());
                this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
                OAuthClient.AccessTokenResponse sendTokenRequestAndGetResponse2 = sendTokenRequestAndGetResponse(this.events.expectLogin().assertEvent());
                IDToken verifyIDToken2 = this.oauth.verifyIDToken(sendTokenRequestAndGetResponse2.getIdToken());
                Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, verifyIDToken2.getEmail());
                Assert.assertNull(verifyIDToken2.getPreferredUsername());
                Assert.assertNull(verifyIDToken2.getFamilyName());
                Assert.assertNull(verifyIDToken2.getGivenName());
                Assert.assertNull(verifyIDToken2.getName());
                ResteasyClient createResteasyClient2 = AdminClientUtil.createResteasyClient();
                try {
                    UserInfo userInfo2 = (UserInfo) UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient2, sendTokenRequestAndGetResponse2.getAccessToken()).readEntity(UserInfo.class);
                    Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, userInfo2.getEmail());
                    Assert.assertNull(userInfo2.getPreferredUsername());
                    Assert.assertNull(userInfo2.getFamilyName());
                    Assert.assertNull(userInfo2.getGivenName());
                    Assert.assertNull(userInfo2.getName());
                    createResteasyClient2.close();
                } catch (Throwable th) {
                    createResteasyClient2.close();
                    throw th;
                }
            } catch (Throwable th2) {
                this.events.expect(EventType.USER_INFO_REQUEST).session(sendTokenRequestAndGetResponse.getSessionState()).client(AssertEvents.DEFAULT_CLIENT_ID).assertEvent();
                createResteasyClient.close();
                throw th2;
            }
        } finally {
            ApiUtil.findClientResourceByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID).addDefaultClientScope(str);
        }
    }

    @Test
    public void testSignedRequestObject() throws IOException {
        this.oauth = this.oauth.request(createAndSignRequestObject());
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        this.events.expectLogin().assertEvent();
    }

    @Test
    public void testWrongEncryptionAlgorithm() throws Exception {
        try {
            ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm(this.oauth.getRealm()), this.oauth.getClientId());
            ClientRepresentation representation = findClientByClientId.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectEncryptionAlg("RSA-OAEP-256");
            findClientByClientId.update(representation);
            this.oauth.request(createEncryptedRequestObject("RSA-OAEP"));
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            Assert.fail("Should fail due to invalid encryption algorithm");
        } catch (Exception e) {
            Assert.assertTrue(this.errorPage.isCurrent());
            this.oauth.request(createEncryptedRequestObject("RSA-OAEP-256"));
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            Assert.assertTrue(this.appPage.isCurrent());
        } finally {
            ClientResource findClientByClientId2 = ApiUtil.findClientByClientId(this.adminClient.realm(this.oauth.getRealm()), this.oauth.getClientId());
            ClientRepresentation representation2 = findClientByClientId2.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setRequestObjectEncryptionAlg((String) null);
            findClientByClientId2.update(representation2);
        }
        this.oauth.openLogout();
        this.oauth = this.oauth.request(createEncryptedRequestObject("RSA-OAEP-256"));
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertTrue(this.appPage.isCurrent());
    }

    @Test
    public void testWrongContentEncryptionAlgorithm() throws Exception {
        ClientResource findClientByClientId;
        ClientResource findClientByClientId2 = ApiUtil.findClientByClientId(this.adminClient.realm(this.oauth.getRealm()), this.oauth.getClientId());
        ClientRepresentation representation = findClientByClientId2.toRepresentation();
        try {
            try {
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectEncryptionAlg("RSA-OAEP-256");
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setRequestObjectEncryptionEnc("A192GCM");
                findClientByClientId2.update(representation);
                Assert.assertEquals("A192GCM", OIDCAdvancedConfigWrapper.fromClientRepresentation(findClientByClientId2.toRepresentation()).getRequestObjectEncryptionEnc());
                this.oauth.request(createEncryptedRequestObject("RSA-OAEP-256"));
                this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
                Assert.fail("Should fail due to invalid content encryption algorithm");
                findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm(this.oauth.getRealm()), this.oauth.getClientId());
                ClientRepresentation representation2 = findClientByClientId.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setRequestObjectEncryptionAlg((String) null);
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setRequestObjectEncryptionEnc((String) null);
                findClientByClientId.update(representation2);
            } catch (Exception e) {
                Assert.assertTrue(this.errorPage.isCurrent());
                this.oauth.request(createEncryptedRequestObject("RSA-OAEP-256"));
                ClientRepresentation representation3 = findClientByClientId2.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation3).setRequestObjectEncryptionEnc("A256GCM");
                findClientByClientId2.update(representation3);
                Assert.assertEquals("A256GCM", OIDCAdvancedConfigWrapper.fromClientRepresentation(findClientByClientId2.toRepresentation()).getRequestObjectEncryptionEnc());
                this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
                Assert.assertTrue(this.appPage.isCurrent());
                findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm(this.oauth.getRealm()), this.oauth.getClientId());
                ClientRepresentation representation4 = findClientByClientId.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation4).setRequestObjectEncryptionAlg((String) null);
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation4).setRequestObjectEncryptionEnc((String) null);
                findClientByClientId.update(representation4);
            }
            this.oauth.openLogout();
            this.oauth = this.oauth.request(createEncryptedRequestObject("RSA-OAEP-256"));
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            Assert.assertTrue(this.appPage.isCurrent());
            ClientRepresentation representation5 = findClientByClientId.toRepresentation();
            Assert.assertNull(OIDCAdvancedConfigWrapper.fromClientRepresentation(representation5).getRequestObjectEncryptionAlg());
            Assert.assertNull(OIDCAdvancedConfigWrapper.fromClientRepresentation(representation5).getRequestObjectEncryptionEnc());
        } catch (Throwable th) {
            ClientResource findClientByClientId3 = ApiUtil.findClientByClientId(this.adminClient.realm(this.oauth.getRealm()), this.oauth.getClientId());
            ClientRepresentation representation6 = findClientByClientId3.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation6).setRequestObjectEncryptionAlg((String) null);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation6).setRequestObjectEncryptionEnc((String) null);
            findClientByClientId3.update(representation6);
            throw th;
        }
    }

    @Test
    public void testSignedAndEncryptedRequestObject() throws IOException, JWEException {
        this.oauth = this.oauth.request(createEncryptedRequestObject("RSA-OAEP-256"));
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        this.events.expectLogin().assertEvent();
    }

    private String createEncryptedRequestObject(String str) throws IOException, JWEException {
        CloseableHttpClient build = HttpClientBuilder.create().build();
        Throwable th = null;
        try {
            try {
                Map keysForUse = JWKSUtils.getKeysForUse((JSONWebKeySet) SimpleHttp.doGet(((OIDCConfigurationRepresentation) SimpleHttp.doGet(getAuthServerRoot().toString() + "realms/" + this.oauth.getRealm() + "/.well-known/openid-configuration", build).asJson(OIDCConfigurationRepresentation.class)).getJwksUri(), build).asJson(JSONWebKeySet.class), JWK.Use.ENCRYPTION);
                String str2 = null;
                if (0 == 0) {
                    str2 = KeyUtils.getActiveEncKey(testRealm().keys().getKeyMetadata(), "PS256").getKid();
                }
                PublicKey publicKey = (PublicKey) keysForUse.get(str2);
                JWE content = new JWE().header(new JWEHeader(str, "A256GCM", (String) null)).content(createAndSignRequestObject().getBytes());
                content.getKeyStorage().setEncryptionKey(publicKey);
                String encodeJwe = content.encodeJwe();
                if (build != null) {
                    if (0 != 0) {
                        try {
                            build.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        build.close();
                    }
                }
                return encodeJwe;
            } finally {
            }
        } catch (Throwable th3) {
            if (build != null) {
                if (th != null) {
                    try {
                        build.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    build.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testRealmPublicKeyEncryptedRequestObjectUsingRSA_OAEP_256WithA256GCM() throws Exception {
        assertRequestObjectEncryption(new JWEHeader("RSA-OAEP-256", "A256GCM", (String) null));
    }

    @Test
    public void testRealmPublicKeyEncryptedRequestObjectUsingRSA_OAEPWithA128CBC_HS256() throws Exception {
        assertRequestObjectEncryption(new JWEHeader("RSA-OAEP", "A128CBC-HS256", (String) null));
    }

    @Test
    public void testRealmPublicKeyEncryptedRequestObjectUsingKid() throws Exception {
        assertRequestObjectEncryption(new JWEHeader("RSA-OAEP", "A128CBC-HS256", (String) null, KeyUtils.getActiveEncKey(testRealm().keys().getKeyMetadata(), "RS256").getKid()));
    }

    private String createAndSignRequestObject() throws IOException {
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject authorizationEndpointRequestObject = new TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject();
        authorizationEndpointRequestObject.id(KeycloakModelUtils.generateId());
        authorizationEndpointRequestObject.iat(Long.valueOf(Time.currentTime()));
        Long l = 300L;
        authorizationEndpointRequestObject.exp(Long.valueOf(authorizationEndpointRequestObject.getIat().longValue() + l.longValue()));
        authorizationEndpointRequestObject.nbf(authorizationEndpointRequestObject.getIat());
        authorizationEndpointRequestObject.setClientId(this.oauth.getClientId());
        authorizationEndpointRequestObject.setResponseType("code");
        authorizationEndpointRequestObject.setRedirectUriParam(this.oauth.getRedirectUri());
        authorizationEndpointRequestObject.setScope("openid");
        String encode = Base64Url.encode(JsonSerialization.writeValueAsBytes(authorizationEndpointRequestObject));
        TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm(this.oauth.getRealm()), this.oauth.getClientId());
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setUseJwksUrl(true);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setJwksUrl(TestApplicationResourceUrls.clientJwksUri());
        findClientByClientId.update(representation);
        oidcClientEndpoints.generateKeys("RS256");
        oidcClientEndpoints.registerOIDCRequest(encode, "RS256");
        return oidcClientEndpoints.getOIDCRequest();
    }

    private void assertRequestObjectEncryption(JWEHeader jWEHeader) throws Exception {
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject authorizationEndpointRequestObject = new TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject();
        authorizationEndpointRequestObject.id(KeycloakModelUtils.generateId());
        authorizationEndpointRequestObject.iat(Long.valueOf(Time.currentTime()));
        Long l = 300L;
        authorizationEndpointRequestObject.exp(Long.valueOf(authorizationEndpointRequestObject.getIat().longValue() + l.longValue()));
        authorizationEndpointRequestObject.nbf(authorizationEndpointRequestObject.getIat());
        authorizationEndpointRequestObject.setClientId(this.oauth.getClientId());
        authorizationEndpointRequestObject.setResponseType("code");
        authorizationEndpointRequestObject.setRedirectUriParam(this.oauth.getRedirectUri());
        authorizationEndpointRequestObject.setScope("openid");
        byte[] writeValueAsBytes = JsonSerialization.writeValueAsBytes(authorizationEndpointRequestObject);
        CloseableHttpClient build = HttpClientBuilder.create().build();
        Throwable th = null;
        try {
            try {
                Map keysForUse = JWKSUtils.getKeysForUse((JSONWebKeySet) SimpleHttp.doGet(((OIDCConfigurationRepresentation) SimpleHttp.doGet(getAuthServerRoot().toString() + "realms/" + this.oauth.getRealm() + "/.well-known/openid-configuration", build).asJson(OIDCConfigurationRepresentation.class)).getJwksUri(), build).asJson(JSONWebKeySet.class), JWK.Use.ENCRYPTION);
                String keyId = jWEHeader.getKeyId();
                if (keyId == null) {
                    keyId = KeyUtils.getActiveEncKey(testRealm().keys().getKeyMetadata(), "PS256").getKid();
                }
                PublicKey publicKey = (PublicKey) keysForUse.get(keyId);
                JWE content = new JWE().header(jWEHeader).content(writeValueAsBytes);
                content.getKeyStorage().setEncryptionKey(publicKey);
                this.oauth = this.oauth.request(content.encodeJwe());
                this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
                this.events.expectLogin().assertEvent();
                if (build != null) {
                    if (0 == 0) {
                        build.close();
                        return;
                    }
                    try {
                        build.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (build != null) {
                if (th != null) {
                    try {
                        build.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    build.close();
                }
            }
            throw th4;
        }
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case -2015417469:
                if (implMethodName.equals("lambda$processClaimsQueryParam$db7944ee$1")) {
                    z = true;
                    break;
                }
                break;
            case 549473674:
                if (implMethodName.equals("lambda$processClaimsRequestParam$db7944ee$1")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Lorg/keycloak/models/KeycloakSession;)V")) {
                    String str = (String) serializedLambda.getCapturedArg(0);
                    String str2 = (String) serializedLambda.getCapturedArg(1);
                    String str3 = (String) serializedLambda.getCapturedArg(2);
                    return keycloakSession -> {
                        RealmModel realm = keycloakSession.getContext().getRealm();
                        Assert.assertEquals(str3, keycloakSession.sessions().getUserSession(realm, str2).getAuthenticatedClientSessionByClient(realm.getClientByClientId(str).getId()).getNote("claims"));
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Lorg/keycloak/models/KeycloakSession;)V")) {
                    String str4 = (String) serializedLambda.getCapturedArg(0);
                    String str5 = (String) serializedLambda.getCapturedArg(1);
                    String str6 = (String) serializedLambda.getCapturedArg(2);
                    return keycloakSession2 -> {
                        RealmModel realm = keycloakSession2.getContext().getRealm();
                        Assert.assertEquals(str6, ((AuthenticatedClientSessionModel) keycloakSession2.sessions().getUserSession(realm, str5).getAuthenticatedClientSessions().get(realm.getClientByClientId(str4).getId())).getNote("claims"));
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
