package org.keycloak.testsuite.oauth;

import java.lang.invoke.SerializedLambda;
import java.security.Security;
import java.util.List;
import javax.ws.rs.client.Entity;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.hamcrest.Matchers;
import org.jboss.arquillian.graphene.page.Page;
import org.jboss.resteasy.client.jaxrs.ResteasyClient;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.common.enums.SslRequired;
import org.keycloak.jose.jws.JWSHeader;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.UserInfo;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.updaters.ClientAttributeUpdater;
import org.keycloak.testsuite.updaters.RealmAttributeUpdater;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RealmManager;
import org.keycloak.testsuite.util.ServerURLs;
import org.keycloak.testsuite.util.TokenSignatureUtil;
import org.keycloak.testsuite.util.UserManager;
import org.keycloak.testsuite.util.WaitUtils;
import org.keycloak.util.BasicAuthHelper;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/testsuite/oauth/RefreshTokenTest.class */
public class RefreshTokenTest extends AbstractKeycloakTest {
    public static final int ALLOWED_CLOCK_SKEW = 3;

    @Page
    protected LoginPage loginPage;

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
    }

    @BeforeClass
    public static void addBouncyCastleProvider() {
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }

    @Before
    public void clientConfiguration() {
        ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).directAccessGrant(true);
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmRepresentation realmRepresentation = (RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class);
        realmRepresentation.getClients().add(ClientBuilder.create().clientId("service-account-app").serviceAccount().attribute("client_credentials.use_refresh_token", "true").secret("secret").build());
        list.add(RealmBuilder.edit(realmRepresentation).testEventListener().build());
    }

    @Test
    public void nullRefreshToken() throws Exception {
        Response post = AdminClientUtil.createResteasyClient().target(OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test"})).request().header("Authorization", BasicAuthHelper.createHeader(AssertEvents.DEFAULT_CLIENT_ID, "password")).post(Entity.form(new Form()));
        Assert.assertEquals(400L, post.getStatus());
        post.close();
        this.events.clear();
    }

    @Test
    public void invalidRefreshToken() throws Exception {
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest("invalid", "password");
        Assert.assertEquals(400L, doRefreshTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_grant", doRefreshTokenRequest.getError());
        this.events.clear();
    }

    @Test
    public void refreshTokenStructure() {
        this.oauth.nonce("123456");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        Assert.assertEquals("123456", this.oauth.verifyToken(doAccessTokenRequest.getAccessToken()).getNonce());
        String refreshToken = doAccessTokenRequest.getRefreshToken();
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(refreshToken);
        this.events.expectCodeToToken(str, sessionId).assertEvent();
        Assert.assertNotNull(refreshToken);
        Assert.assertEquals("123456", parseRefreshToken.getNonce());
        Assert.assertNull("RealmAccess should be null for RefreshTokens", parseRefreshToken.getRealmAccess());
        Assert.assertTrue("ResourceAccess should be null for RefreshTokens", parseRefreshToken.getResourceAccess().isEmpty());
    }

    @Test
    public void refreshTokenRequest() throws Exception {
        this.oauth.nonce("123456");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        Assert.assertEquals("123456", verifyToken.getNonce());
        String refreshToken = doAccessTokenRequest.getRefreshToken();
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(refreshToken);
        EventRepresentation assertEvent2 = this.events.expectCodeToToken(str, sessionId).assertEvent();
        Assert.assertNotNull(refreshToken);
        Assert.assertEquals("Bearer", doAccessTokenRequest.getTokenType());
        Assert.assertThat(Integer.valueOf(verifyToken.getExpiration() - getCurrentTime()), Matchers.allOf(Matchers.greaterThanOrEqualTo(200), Matchers.lessThanOrEqualTo(350)));
        Assert.assertThat(Integer.valueOf(parseRefreshToken.getExpiration() - getCurrentTime()), Matchers.allOf(Matchers.greaterThanOrEqualTo(1796), Matchers.lessThanOrEqualTo(1803)));
        Assert.assertEquals(sessionId, parseRefreshToken.getSessionState());
        setTimeOffset(2);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(refreshToken, "password");
        AccessToken verifyToken2 = this.oauth.verifyToken(doRefreshTokenRequest.getAccessToken());
        RefreshToken parseRefreshToken2 = this.oauth.parseRefreshToken(doRefreshTokenRequest.getRefreshToken());
        Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
        Assert.assertEquals(sessionId, verifyToken2.getSessionState());
        Assert.assertEquals(sessionId, parseRefreshToken2.getSessionState());
        Assert.assertThat(Integer.valueOf(doRefreshTokenRequest.getExpiresIn()), Matchers.allOf(Matchers.greaterThanOrEqualTo(250), Matchers.lessThanOrEqualTo(300)));
        Assert.assertThat(Integer.valueOf(verifyToken2.getExpiration() - getCurrentTime()), Matchers.allOf(Matchers.greaterThanOrEqualTo(247), Matchers.lessThanOrEqualTo(303)));
        Assert.assertThat(Integer.valueOf(verifyToken2.getExpiration() - verifyToken.getExpiration()), Matchers.allOf(Matchers.greaterThanOrEqualTo(1), Matchers.lessThanOrEqualTo(10)));
        Assert.assertThat(Integer.valueOf(parseRefreshToken2.getExpiration() - parseRefreshToken.getExpiration()), Matchers.allOf(Matchers.greaterThanOrEqualTo(1), Matchers.lessThanOrEqualTo(10)));
        Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, parseRefreshToken2.getIssuedFor());
        Assert.assertFalse(parseRefreshToken2.hasAudience(AssertEvents.DEFAULT_CLIENT_ID));
        Assert.assertNotEquals(verifyToken.getId(), verifyToken2.getId());
        Assert.assertNotEquals(parseRefreshToken.getId(), parseRefreshToken2.getId());
        Assert.assertEquals("Bearer", doRefreshTokenRequest.getTokenType());
        Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME).getId(), verifyToken2.getSubject());
        Assert.assertNotEquals(AssertEvents.DEFAULT_USERNAME, verifyToken2.getSubject());
        Assert.assertTrue(verifyToken2.getRealmAccess().isUserInRole("user"));
        Assert.assertEquals(1L, verifyToken2.getResourceAccess(this.oauth.getClientId()).getRoles().size());
        Assert.assertTrue(verifyToken2.getResourceAccess(this.oauth.getClientId()).isUserInRole("customer-user"));
        EventRepresentation assertEvent3 = this.events.expectRefresh((String) assertEvent2.getDetails().get("refresh_token_id"), sessionId).assertEvent();
        Assert.assertNotEquals(assertEvent2.getDetails().get("token_id"), assertEvent3.getDetails().get("token_id"));
        Assert.assertNotEquals(assertEvent2.getDetails().get("refresh_token_id"), assertEvent3.getDetails().get("updated_refresh_token_id"));
        Assert.assertEquals("123456", verifyToken2.getNonce());
        setTimeOffset(0);
    }

    @Test
    public void refreshTokenWithAccessToken() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String accessToken = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getAccessToken();
        setTimeOffset(2);
        Assert.assertNotEquals(200L, this.oauth.doRefreshTokenRequest(accessToken, "password").getStatusCode());
        setTimeOffset(0);
    }

    @Test
    public void tokenRefreshWithAccessTokenShouldReturnIdTokenWithAccessTokenHash() {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String refreshToken = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getRefreshToken();
        setTimeOffset(2);
        try {
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(refreshToken, "password");
            Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
            Assert.assertNotNull("AccessTokenHash should not be null after token refresh", this.oauth.verifyToken(doRefreshTokenRequest.getIdToken()).getAccessTokenHash());
            setTimeOffset(0);
        } catch (Throwable th) {
            setTimeOffset(0);
            throw th;
        }
    }

    @Test
    public void refreshTokenReuseTokenWithoutRefreshTokensRevoked() throws Exception {
        try {
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
            String sessionId = assertEvent.getSessionId();
            String str = (String) assertEvent.getDetails().get("code_id");
            RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getRefreshToken());
            this.events.expectCodeToToken(str, sessionId).assertEvent();
            setTimeOffset(2);
            Assert.assertEquals(200L, this.oauth.doRefreshTokenRequest(r0.getRefreshToken(), "password").getStatusCode());
            this.events.expectRefresh(parseRefreshToken.getId(), sessionId).assertEvent();
            setTimeOffset(4);
            Assert.assertEquals(200L, this.oauth.doRefreshTokenRequest(r0.getRefreshToken(), "password").getStatusCode());
            this.events.expectRefresh(parseRefreshToken.getId(), sessionId).assertEvent();
            setTimeOffset(0);
        } catch (Throwable th) {
            setTimeOffset(0);
            throw th;
        }
    }

    @Test
    public void refreshTokenReuseTokenWithRefreshTokensRevoked() throws Exception {
        try {
            RealmManager.realm(this.adminClient.realm("test")).revokeRefreshToken(true);
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
            String sessionId = assertEvent.getSessionId();
            String str = (String) assertEvent.getDetails().get("code_id");
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
            RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken());
            this.events.expectCodeToToken(str, sessionId).assertEvent();
            setTimeOffset(2);
            RefreshToken parseRefreshToken2 = this.oauth.parseRefreshToken(this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getRefreshToken());
            Assert.assertEquals(200L, r0.getStatusCode());
            this.events.expectRefresh(parseRefreshToken.getId(), sessionId).assertEvent();
            setTimeOffset(4);
            Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getStatusCode());
            this.events.expectRefresh(parseRefreshToken.getId(), sessionId).removeDetail("token_id").removeDetail("updated_refresh_token_id").error("invalid_token").assertEvent();
            setTimeOffset(6);
            Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(r0.getRefreshToken(), "password").getStatusCode());
            this.events.expectRefresh(parseRefreshToken2.getId(), sessionId).removeDetail("token_id").removeDetail("updated_refresh_token_id").error("invalid_token").assertEvent();
            setTimeOffset(0);
            RealmManager.realm(this.adminClient.realm("test")).revokeRefreshToken(false);
        } catch (Throwable th) {
            setTimeOffset(0);
            RealmManager.realm(this.adminClient.realm("test")).revokeRefreshToken(false);
            throw th;
        }
    }

    @Test
    public void refreshTokenReuseTokenWithRefreshTokensRevokedAfterSingleReuse() throws Exception {
        try {
            RealmManager.realm(this.adminClient.realm("test")).revokeRefreshToken(true).refreshTokenMaxReuse(1);
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
            String sessionId = assertEvent.getSessionId();
            String str = (String) assertEvent.getDetails().get("code_id");
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
            RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken());
            this.events.expectCodeToToken(str, sessionId).assertEvent();
            setTimeOffset(2);
            RefreshToken parseRefreshToken2 = this.oauth.parseRefreshToken(this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getRefreshToken());
            Assert.assertEquals(200L, r0.getStatusCode());
            this.events.expectRefresh(parseRefreshToken.getId(), sessionId).assertEvent();
            setTimeOffset(4);
            RefreshToken parseRefreshToken3 = this.oauth.parseRefreshToken(this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getRefreshToken());
            Assert.assertEquals(200L, r0.getStatusCode());
            this.events.expectRefresh(parseRefreshToken.getId(), sessionId).assertEvent();
            setTimeOffset(6);
            Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getStatusCode());
            this.events.expectRefresh(parseRefreshToken.getId(), sessionId).removeDetail("token_id").removeDetail("updated_refresh_token_id").error("invalid_token").assertEvent();
            setTimeOffset(8);
            Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(r0.getRefreshToken(), "password").getStatusCode());
            this.events.expectRefresh(parseRefreshToken2.getId(), sessionId).removeDetail("token_id").removeDetail("updated_refresh_token_id").error("invalid_token").assertEvent();
            setTimeOffset(10);
            Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(r0.getRefreshToken(), "password").getStatusCode());
            this.events.expectRefresh(parseRefreshToken3.getId(), sessionId).removeDetail("token_id").removeDetail("updated_refresh_token_id").error("invalid_token").assertEvent();
            setTimeOffset(0);
            RealmManager.realm(this.adminClient.realm("test")).refreshTokenMaxReuse(0).revokeRefreshToken(false);
        } catch (Throwable th) {
            setTimeOffset(0);
            RealmManager.realm(this.adminClient.realm("test")).refreshTokenMaxReuse(0).revokeRefreshToken(false);
            throw th;
        }
    }

    @Test
    public void refreshTokenReuseOfExistingTokenAfterEnablingReuseRevokation() throws Exception {
        try {
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
            String sessionId = assertEvent.getSessionId();
            String str = (String) assertEvent.getDetails().get("code_id");
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
            RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken());
            this.events.expectCodeToToken(str, sessionId).assertEvent();
            setTimeOffset(2);
            processExpectedValidRefresh(sessionId, parseRefreshToken, doAccessTokenRequest.getRefreshToken());
            processExpectedValidRefresh(sessionId, parseRefreshToken, doAccessTokenRequest.getRefreshToken());
            processExpectedValidRefresh(sessionId, parseRefreshToken, doAccessTokenRequest.getRefreshToken());
            RealmManager.realm(this.adminClient.realm("test")).revokeRefreshToken(true).refreshTokenMaxReuse(1);
            processExpectedValidRefresh(sessionId, parseRefreshToken, doAccessTokenRequest.getRefreshToken());
            processExpectedValidRefresh(sessionId, parseRefreshToken, doAccessTokenRequest.getRefreshToken());
            Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getStatusCode());
            this.events.expectRefresh(parseRefreshToken.getId(), sessionId).removeDetail("token_id").removeDetail("updated_refresh_token_id").error("invalid_token").assertEvent();
            setTimeOffset(0);
            RealmManager.realm(this.adminClient.realm("test")).refreshTokenMaxReuse(0).revokeRefreshToken(false);
        } catch (Throwable th) {
            setTimeOffset(0);
            RealmManager.realm(this.adminClient.realm("test")).refreshTokenMaxReuse(0).revokeRefreshToken(false);
            throw th;
        }
    }

    @Test
    public void refreshTokenReuseOfExistingTokenAfterDisablingReuseRevokation() throws Exception {
        try {
            RealmManager.realm(this.adminClient.realm("test")).revokeRefreshToken(true).refreshTokenMaxReuse(1);
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
            String sessionId = assertEvent.getSessionId();
            String str = (String) assertEvent.getDetails().get("code_id");
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
            RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken());
            this.events.expectCodeToToken(str, sessionId).assertEvent();
            setTimeOffset(2);
            processExpectedValidRefresh(sessionId, parseRefreshToken, doAccessTokenRequest.getRefreshToken());
            processExpectedValidRefresh(sessionId, parseRefreshToken, doAccessTokenRequest.getRefreshToken());
            Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getStatusCode());
            this.events.expectRefresh(parseRefreshToken.getId(), sessionId).removeDetail("token_id").removeDetail("updated_refresh_token_id").error("invalid_token").assertEvent();
            RealmManager.realm(this.adminClient.realm("test")).revokeRefreshToken(false);
            Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getStatusCode());
            this.events.expectRefresh(parseRefreshToken.getId(), sessionId).removeDetail("token_id").removeDetail("updated_refresh_token_id").error("invalid_token").assertEvent();
            setTimeOffset(0);
            RealmManager.realm(this.adminClient.realm("test")).refreshTokenMaxReuse(0).revokeRefreshToken(false);
        } catch (Throwable th) {
            setTimeOffset(0);
            RealmManager.realm(this.adminClient.realm("test")).refreshTokenMaxReuse(0).revokeRefreshToken(false);
            throw th;
        }
    }

    @Test
    public void refreshTokenReuseTokenWithRefreshTokensRevokedAndSSOReauthentication() throws Exception {
        try {
            RealmManager.realm(this.adminClient.realm("test")).revokeRefreshToken(true);
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
            String sessionId = assertEvent.getSessionId();
            String str = (String) assertEvent.getDetails().get("code_id");
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
            RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken());
            this.events.expectCodeToToken(str, sessionId).assertEvent();
            setTimeOffset(2);
            RefreshToken parseRefreshToken2 = this.oauth.parseRefreshToken(this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getRefreshToken());
            Assert.assertEquals(200L, r0.getStatusCode());
            this.events.expectRefresh(parseRefreshToken.getId(), sessionId).assertEvent();
            Assert.assertTrue(hasClientSessionForTestApp());
            setTimeOffset(4);
            Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getStatusCode());
            this.events.expectRefresh(parseRefreshToken.getId(), sessionId).removeDetail("token_id").removeDetail("updated_refresh_token_id").error("invalid_token").assertEvent();
            Assert.assertFalse(hasClientSessionForTestApp());
            Assert.assertFalse(JsonSerialization.mapper.readTree(this.oauth.introspectAccessTokenWithClientCredential(AssertEvents.DEFAULT_CLIENT_ID, "password", doAccessTokenRequest.getAccessToken())).get("active").asBoolean());
            this.events.clear();
            setTimeOffset(6);
            this.oauth.openLoginForm();
            EventRepresentation assertEvent2 = this.events.expectLogin().assertEvent();
            String sessionId2 = assertEvent2.getSessionId();
            String str2 = (String) assertEvent2.getDetails().get("code_id");
            this.oauth.parseRefreshToken(this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getRefreshToken());
            this.events.expectCodeToToken(str2, sessionId2).assertEvent();
            Assert.assertTrue(hasClientSessionForTestApp());
            Assert.assertFalse(JsonSerialization.mapper.readTree(this.oauth.introspectAccessTokenWithClientCredential(AssertEvents.DEFAULT_CLIENT_ID, "password", doAccessTokenRequest.getAccessToken())).get("active").asBoolean());
            UserInfo doUserInfoRequest = this.oauth.doUserInfoRequest(doAccessTokenRequest.getAccessToken());
            Assert.assertNull(doUserInfoRequest.getSubject());
            Assert.assertEquals(doUserInfoRequest.getOtherClaims().get("error"), "invalid_token");
            this.events.clear();
            setTimeOffset(8);
            Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(r0.getRefreshToken(), "password").getStatusCode());
            this.events.expectRefresh(parseRefreshToken2.getId(), sessionId2).removeDetail("token_id").removeDetail("updated_refresh_token_id").error("invalid_token").assertEvent();
            setTimeOffset(0);
            RealmManager.realm(this.adminClient.realm("test")).revokeRefreshToken(false);
        } catch (Throwable th) {
            setTimeOffset(0);
            RealmManager.realm(this.adminClient.realm("test")).revokeRefreshToken(false);
            throw th;
        }
    }

    private boolean hasClientSessionForTestApp() {
        return ApiUtil.findUserByUsernameId(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME).getUserSessions().stream().anyMatch(userSessionRepresentation -> {
            return userSessionRepresentation.getClients().containsValue(AssertEvents.DEFAULT_CLIENT_ID);
        });
    }

    private void processExpectedValidRefresh(String str, RefreshToken refreshToken, String str2) {
        Assert.assertEquals(200L, this.oauth.doRefreshTokenRequest(str2, "password").getStatusCode());
        this.events.expectRefresh(refreshToken.getId(), str).assertEvent();
    }

    @Test
    public void refreshTokenClientDisabled() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        String refreshToken = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getRefreshToken();
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(refreshToken);
        this.events.expectCodeToToken(str, sessionId).assertEvent();
        try {
            ClientManager.realm(this.adminClient.realm("test")).clientId(this.oauth.getClientId()).enabled(false);
            setTimeOffset(2);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(refreshToken, "password");
            Assert.assertEquals(400L, doRefreshTokenRequest.getStatusCode());
            Assert.assertEquals("unauthorized_client", doRefreshTokenRequest.getError());
            this.events.expectRefresh(parseRefreshToken.getId(), sessionId).user((String) null).session((String) null).clearDetails().error("client_disabled").assertEvent();
            ClientManager.realm(this.adminClient.realm("test")).clientId(this.oauth.getClientId()).enabled(true);
        } catch (Throwable th) {
            ClientManager.realm(this.adminClient.realm("test")).clientId(this.oauth.getClientId()).enabled(true);
            throw th;
        }
    }

    @Test
    public void refreshTokenUserSessionExpired() {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String sessionId = this.events.expectLogin().assertEvent().getSessionId();
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        this.events.poll();
        String id = this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken()).getId();
        this.testingClient.testing().removeUserSession("test", sessionId);
        setTimeOffset(2);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
        Assert.assertEquals(400L, doRefreshTokenRequest.getStatusCode());
        Assert.assertNull(doRefreshTokenRequest.getAccessToken());
        Assert.assertNull(doRefreshTokenRequest.getRefreshToken());
        this.events.expectRefresh(id, sessionId).error("invalid_token");
        this.events.clear();
    }

    @Test
    public void refreshTokenAfterUserLogoutAndLoginAgain() {
        this.oauth.doLogout(loginAndForceNewLoginPage(), "password");
        this.events.clear();
        setTimeOffset(2);
        this.oauth.fillLoginForm(AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertFalse(this.loginPage.isCurrent());
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        setTimeOffset(4);
        Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(r0, "password").getStatusCode());
        setTimeOffset(6);
        Assert.assertEquals(200L, this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getStatusCode());
    }

    @Test
    public void refreshTokenAfterAdminLogoutAllAndLoginAgain() {
        String loginAndForceNewLoginPage = loginAndForceNewLoginPage();
        this.adminClient.realm("test").logoutAll();
        WaitUtils.pause(500L);
        this.events.clear();
        setTimeOffset(2);
        this.oauth.fillLoginForm(AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertFalse(this.loginPage.isCurrent());
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        setTimeOffset(4);
        Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(loginAndForceNewLoginPage, "password").getStatusCode());
        setTimeOffset(6);
        Assert.assertEquals(200L, this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getStatusCode());
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void refreshTokenAfterUserAdminLogoutEndpointAndLoginAgain() {
        try {
            this.adminClient.realm("test").users().get(this.oauth.parseRefreshToken(loginAndForceNewLoginPage()).getSubject()).logout();
            setTimeOffset(2);
            this.oauth.fillLoginForm(AssertEvents.DEFAULT_USERNAME, "password");
            Assert.assertFalse(this.loginPage.isCurrent());
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
            setTimeOffset(4);
            Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(r0, "password").getStatusCode());
            setTimeOffset(6);
            Assert.assertEquals(200L, this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getStatusCode());
            this.testingClient.server().run(keycloakSession -> {
                RealmModel realmByName = keycloakSession.realms().getRealmByName("test");
                keycloakSession.users().setNotBeforeForUser(realmByName, keycloakSession.users().getUserByUsername(realmByName, AssertEvents.DEFAULT_USERNAME), 0);
            });
        } catch (Throwable th) {
            this.testingClient.server().run(keycloakSession2 -> {
                RealmModel realmByName = keycloakSession2.realms().getRealmByName("test");
                keycloakSession2.users().setNotBeforeForUser(realmByName, keycloakSession2.users().getUserByUsername(realmByName, AssertEvents.DEFAULT_USERNAME), 0);
            });
            throw th;
        }
    }

    @Test
    public void testUserSessionRefreshAndIdle() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String sessionId = this.events.expectLogin().assertEvent().getSessionId();
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        this.events.poll();
        String id = this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken()).getId();
        int intValue = this.testingClient.testing().getLastSessionRefresh("test", sessionId, false).intValue();
        setTimeOffset(2);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
        this.oauth.verifyToken(doRefreshTokenRequest.getAccessToken());
        this.oauth.parseRefreshToken(doRefreshTokenRequest.getRefreshToken());
        Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
        Assert.assertNotEquals(intValue, this.testingClient.testing().getLastSessionRefresh("test", sessionId, false).intValue());
        RealmResource realm = this.adminClient.realm("test");
        int intValue2 = realm.toRepresentation().getAccessTokenLifespan().intValue();
        int intValue3 = realm.toRepresentation().getSsoSessionIdleTimeout().intValue();
        try {
            RealmManager.realm(realm).accessTokenLifespan(100000);
            setTimeOffset(4);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest2 = this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), "password");
            Assert.assertThat(Integer.valueOf(this.testingClient.testing().getLastSessionRefresh("test", sessionId, false).intValue()), Matchers.allOf(Matchers.greaterThan(Integer.valueOf(intValue)), Matchers.lessThan(Integer.valueOf(intValue + 50))));
            RealmManager.realm(realm).ssoSessionIdleTimeout(1);
            this.events.clear();
            setTimeOffset(126);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest3 = this.oauth.doRefreshTokenRequest(doRefreshTokenRequest2.getRefreshToken(), "password");
            Assert.assertEquals(400L, doRefreshTokenRequest3.getStatusCode());
            Assert.assertNull(doRefreshTokenRequest3.getAccessToken());
            Assert.assertNull(doRefreshTokenRequest3.getRefreshToken());
            this.events.expectRefresh(id, sessionId).error("invalid_token");
            RealmManager.realm(realm).ssoSessionIdleTimeout(intValue3).accessTokenLifespan(intValue2);
            this.events.clear();
            setTimeOffset(0);
        } catch (Throwable th) {
            RealmManager.realm(realm).ssoSessionIdleTimeout(intValue3).accessTokenLifespan(intValue2);
            this.events.clear();
            setTimeOffset(0);
            throw th;
        }
    }

    @Test
    public void testUserSessionRefreshAndIdleRememberMe() throws Exception {
        RealmResource realm = this.adminClient.realm("test");
        RealmRepresentation representation = realm.toRepresentation();
        Boolean isRememberMe = representation.isRememberMe();
        int intValue = representation.getSsoSessionIdleTimeoutRememberMe().intValue();
        try {
            representation.setRememberMe(true);
            realm.update(representation);
            this.oauth.doRememberMeLogin(AssertEvents.DEFAULT_USERNAME, "password");
            String sessionId = this.events.expectLogin().assertEvent().getSessionId();
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
            this.events.poll();
            String id = this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken()).getId();
            int intValue2 = this.testingClient.testing().getLastSessionRefresh("test", sessionId, false).intValue();
            setTimeOffset(2);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
            this.oauth.verifyToken(doRefreshTokenRequest.getAccessToken());
            this.oauth.parseRefreshToken(doRefreshTokenRequest.getRefreshToken());
            Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
            Assert.assertNotEquals(intValue2, this.testingClient.testing().getLastSessionRefresh("test", sessionId, false).intValue());
            representation.setSsoSessionIdleTimeoutRememberMe(1);
            realm.update(representation);
            this.events.clear();
            setTimeOffset(126);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest2 = this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), "password");
            Assert.assertEquals(400L, doRefreshTokenRequest2.getStatusCode());
            Assert.assertNull(doRefreshTokenRequest2.getAccessToken());
            Assert.assertNull(doRefreshTokenRequest2.getRefreshToken());
            this.events.expectRefresh(id, sessionId).error("invalid_token");
            this.events.clear();
            representation.setSsoSessionIdleTimeoutRememberMe(Integer.valueOf(intValue));
            representation.setRememberMe(isRememberMe);
            realm.update(representation);
            setTimeOffset(0);
        } catch (Throwable th) {
            representation.setSsoSessionIdleTimeoutRememberMe(Integer.valueOf(intValue));
            representation.setRememberMe(isRememberMe);
            realm.update(representation);
            setTimeOffset(0);
            throw th;
        }
    }

    @Test
    public void refreshTokenUserSessionMaxLifespan() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String sessionId = this.events.expectLogin().assertEvent().getSessionId();
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        this.events.poll();
        String id = this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken()).getId();
        RealmResource realm = this.adminClient.realm("test");
        Integer ssoSessionMaxLifespan = realm.toRepresentation().getSsoSessionMaxLifespan();
        try {
            RealmManager.realm(realm).ssoSessionMaxLifespan(1);
            setTimeOffset(2);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
            Assert.assertEquals(400L, doRefreshTokenRequest.getStatusCode());
            Assert.assertNull(doRefreshTokenRequest.getAccessToken());
            Assert.assertNull(doRefreshTokenRequest.getRefreshToken());
            this.events.expectRefresh(id, sessionId).error("invalid_token");
            RealmManager.realm(realm).ssoSessionMaxLifespan(ssoSessionMaxLifespan.intValue());
            this.events.clear();
            resetTimeOffset();
        } catch (Throwable th) {
            RealmManager.realm(realm).ssoSessionMaxLifespan(ssoSessionMaxLifespan.intValue());
            this.events.clear();
            resetTimeOffset();
            throw th;
        }
    }

    @Test
    public void refreshTokenUserSessionMaxLifespanWithRememberMe() throws Exception {
        RealmResource realm = this.adminClient.realm("test");
        RealmRepresentation representation = realm.toRepresentation();
        Boolean isRememberMe = representation.isRememberMe();
        int intValue = representation.getSsoSessionMaxLifespanRememberMe().intValue();
        try {
            representation.setRememberMe(true);
            realm.update(representation);
            this.oauth.doRememberMeLogin(AssertEvents.DEFAULT_USERNAME, "password");
            String sessionId = this.events.expectLogin().assertEvent().getSessionId();
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
            this.events.poll();
            String id = this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken()).getId();
            representation.setSsoSessionMaxLifespanRememberMe(1);
            realm.update(representation);
            setTimeOffset(2);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
            Assert.assertEquals(400L, doRefreshTokenRequest.getStatusCode());
            Assert.assertNull(doRefreshTokenRequest.getAccessToken());
            Assert.assertNull(doRefreshTokenRequest.getRefreshToken());
            this.events.expectRefresh(id, sessionId).error("invalid_token");
            this.events.clear();
            representation.setSsoSessionMaxLifespanRememberMe(Integer.valueOf(intValue));
            representation.setRememberMe(isRememberMe);
            realm.update(representation);
            setTimeOffset(0);
        } catch (Throwable th) {
            representation.setSsoSessionMaxLifespanRememberMe(Integer.valueOf(intValue));
            representation.setRememberMe(isRememberMe);
            realm.update(representation);
            setTimeOffset(0);
            throw th;
        }
    }

    @Test
    public void testCheckSsl() throws Exception {
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            WebTarget target = createResteasyClient.target(OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test"}));
            WebTarget target2 = createResteasyClient.target(OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test"}));
            Response executeGrantAccessTokenRequest = executeGrantAccessTokenRequest(target);
            Assert.assertEquals(200L, executeGrantAccessTokenRequest.getStatus());
            String refreshToken = ((AccessTokenResponse) executeGrantAccessTokenRequest.readEntity(AccessTokenResponse.class)).getRefreshToken();
            executeGrantAccessTokenRequest.close();
            Response executeRefreshToken = executeRefreshToken(target2, refreshToken);
            Assert.assertEquals(200L, executeRefreshToken.getStatus());
            String refreshToken2 = ((AccessTokenResponse) executeRefreshToken.readEntity(AccessTokenResponse.class)).getRefreshToken();
            executeRefreshToken.close();
            if (!ServerURLs.AUTH_SERVER_SSL_REQUIRED) {
                RealmResource realm = this.adminClient.realm("test");
                RealmManager.realm(realm).sslRequired(SslRequired.ALL.toString());
                Response executeRefreshToken2 = executeRefreshToken(target2, refreshToken2);
                Assert.assertEquals(403L, executeRefreshToken2.getStatus());
                executeRefreshToken2.close();
                RealmManager.realm(realm).sslRequired(SslRequired.EXTERNAL.toString());
            }
            Response executeRefreshToken3 = executeRefreshToken(target2, refreshToken2);
            Assert.assertEquals(200L, executeRefreshToken3.getStatus());
            ((AccessTokenResponse) executeRefreshToken3.readEntity(AccessTokenResponse.class)).getRefreshToken();
            executeRefreshToken3.close();
            createResteasyClient.close();
            resetTimeOffset();
            this.events.clear();
        } catch (Throwable th) {
            createResteasyClient.close();
            resetTimeOffset();
            this.events.clear();
            throw th;
        }
    }

    @Test
    public void refreshTokenUserDisabled() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        String refreshToken = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getRefreshToken();
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(refreshToken);
        this.events.expectCodeToToken(str, sessionId).assertEvent();
        try {
            UserManager.realm(this.adminClient.realm("test")).username(AssertEvents.DEFAULT_USERNAME).enabled(false);
            setTimeOffset(2);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(refreshToken, "password");
            Assert.assertEquals(400L, doRefreshTokenRequest.getStatusCode());
            Assert.assertEquals("invalid_grant", doRefreshTokenRequest.getError());
            this.events.expectRefresh(parseRefreshToken.getId(), sessionId).clearDetails().error("invalid_token").assertEvent();
            UserManager.realm(this.adminClient.realm("test")).username(AssertEvents.DEFAULT_USERNAME).enabled(true);
        } catch (Throwable th) {
            UserManager.realm(this.adminClient.realm("test")).username(AssertEvents.DEFAULT_USERNAME).enabled(true);
            throw th;
        }
    }

    @Test
    public void refreshTokenUserDeleted() throws Exception {
        String createUser = createUser("test", "temp-user@localhost", "password", new String[0]);
        this.oauth.doLogin("temp-user@localhost", "password");
        EventRepresentation assertEvent = this.events.expectLogin().user(createUser).assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        String refreshToken = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getRefreshToken();
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(refreshToken);
        this.events.expectCodeToToken(str, sessionId).user(createUser).assertEvent();
        this.adminClient.realm("test").users().delete(createUser);
        setTimeOffset(2);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(refreshToken, "password");
        Assert.assertEquals(400L, doRefreshTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_grant", doRefreshTokenRequest.getError());
        this.events.expectRefresh(parseRefreshToken.getId(), sessionId).user(createUser).clearDetails().error("invalid_token").assertEvent();
    }

    @Test
    public void refreshTokenServiceAccount() throws Exception {
        OAuthClient.AccessTokenResponse doClientCredentialsGrantAccessTokenRequest = this.oauth.clientId("service-account-app").doClientCredentialsGrantAccessTokenRequest("secret");
        Assert.assertNotNull(doClientCredentialsGrantAccessTokenRequest.getRefreshToken());
        Assert.assertNotNull(this.oauth.doRefreshTokenRequest(doClientCredentialsGrantAccessTokenRequest.getRefreshToken(), "secret").getRefreshToken());
    }

    @Test
    public void testClientSessionMaxLifespan() throws Exception {
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        RealmResource realm = this.adminClient.realm("test");
        RealmRepresentation representation2 = realm.toRepresentation();
        Integer ssoSessionMaxLifespan = representation2.getSsoSessionMaxLifespan();
        int intValue = representation2.getSsoSessionIdleTimeout().intValue() - 100;
        Integer clientSessionMaxLifespan = representation2.getClientSessionMaxLifespan();
        try {
            representation2.setSsoSessionMaxLifespan(Integer.valueOf(intValue));
            realm.update(representation2);
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
            Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doAccessTokenRequest.getRefreshExpiresIn(), intValue);
            representation2.setClientSessionMaxLifespan(Integer.valueOf(intValue - 100));
            realm.update(representation2);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
            Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doRefreshTokenRequest.getRefreshExpiresIn(), intValue - 100);
            representation.getAttributes().put("client.session.max.lifespan", Integer.toString(intValue - 200));
            findClientByClientId.update(representation);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest2 = this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), "password");
            Assert.assertEquals(200L, doRefreshTokenRequest2.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doRefreshTokenRequest2.getRefreshExpiresIn(), intValue - 200);
            representation2.setSsoSessionMaxLifespan(ssoSessionMaxLifespan);
            representation2.setClientSessionMaxLifespan(clientSessionMaxLifespan);
            realm.update(representation2);
            representation.getAttributes().put("client.session.max.lifespan", null);
            findClientByClientId.update(representation);
        } catch (Throwable th) {
            representation2.setSsoSessionMaxLifespan(ssoSessionMaxLifespan);
            representation2.setClientSessionMaxLifespan(clientSessionMaxLifespan);
            realm.update(representation2);
            representation.getAttributes().put("client.session.max.lifespan", null);
            findClientByClientId.update(representation);
            throw th;
        }
    }

    @Test
    public void testClientSessionIdleTimeout() throws Exception {
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        RealmResource realm = this.adminClient.realm("test");
        RealmRepresentation representation2 = realm.toRepresentation();
        int intValue = representation2.getSsoSessionIdleTimeout().intValue();
        Integer clientSessionIdleTimeout = representation2.getClientSessionIdleTimeout();
        try {
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
            Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doAccessTokenRequest.getRefreshExpiresIn(), intValue);
            representation2.setClientSessionIdleTimeout(Integer.valueOf(intValue - 100));
            realm.update(representation2);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
            Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doRefreshTokenRequest.getRefreshExpiresIn(), intValue - 100);
            representation.getAttributes().put("client.session.idle.timeout", Integer.toString(intValue - 200));
            findClientByClientId.update(representation);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest2 = this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), "password");
            Assert.assertEquals(200L, doRefreshTokenRequest2.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doRefreshTokenRequest2.getRefreshExpiresIn(), intValue - 200);
            representation2.setClientSessionIdleTimeout(clientSessionIdleTimeout);
            realm.update(representation2);
            representation.getAttributes().put("client.session.idle.timeout", null);
            findClientByClientId.update(representation);
        } catch (Throwable th) {
            representation2.setClientSessionIdleTimeout(clientSessionIdleTimeout);
            realm.update(representation2);
            representation.getAttributes().put("client.session.idle.timeout", null);
            findClientByClientId.update(representation);
            throw th;
        }
    }

    @Test
    public void testRefreshTokenWhenClientSessionTimeoutPassedButRealmDidNot() {
        getCleanup().addCleanup(new RealmAttributeUpdater(this.adminClient.realm("test")).setSsoSessionIdleTimeout(2592000).setSsoSessionMaxLifespan(86313600).update()).addCleanup(ClientAttributeUpdater.forClient(this.adminClient, "test", AssertEvents.DEFAULT_CLIENT_ID).setAttribute("client.session.idle.timeout", "60").setAttribute("client.session.max.lifespan", "65").update());
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        org.keycloak.testsuite.Assert.assertExpiration(doAccessTokenRequest.getExpiresIn(), 65);
        setTimeOffset(70);
        this.oauth.openLoginForm();
        org.keycloak.testsuite.Assert.assertExpiration(this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getExpiresIn(), 65);
    }

    @Test
    public void refreshTokenRequestNoRefreshToken() {
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String refreshToken = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getRefreshToken();
        setTimeOffset(2);
        representation.getAttributes().put("use.refresh.tokens", "false");
        findClientByClientId.update(representation);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(refreshToken, "password");
        Assert.assertNotNull(doRefreshTokenRequest.getAccessToken());
        Assert.assertNull(doRefreshTokenRequest.getRefreshToken());
        representation.getAttributes().put("use.refresh.tokens", "true");
        findClientByClientId.update(representation);
    }

    @Test
    public void tokenRefreshRequest_ClientRS384_RealmRS384() throws Exception {
        conductTokenRefreshRequest("HS256", "RS384", "RS384");
    }

    @Test
    public void tokenRefreshRequest_ClientRS512_RealmRS256() throws Exception {
        conductTokenRefreshRequest("HS256", "RS512", "RS256");
    }

    @Test
    public void tokenRefreshRequest_ClientES256_RealmRS256() throws Exception {
        conductTokenRefreshRequest("HS256", "ES256", "RS256");
    }

    @Test
    public void tokenRefreshRequest_ClientES384_RealmES384() throws Exception {
        conductTokenRefreshRequest("HS256", "ES384", "ES384");
    }

    @Test
    public void tokenRefreshRequest_ClientES512_RealmRS256() throws Exception {
        conductTokenRefreshRequest("HS256", "ES512", "RS256");
    }

    @Test
    public void tokenRefreshRequest_ClientPS256_RealmRS256() throws Exception {
        conductTokenRefreshRequest("HS256", "PS256", "RS256");
    }

    @Test
    public void tokenRefreshRequest_ClientPS384_RealmES384() throws Exception {
        conductTokenRefreshRequest("HS256", "PS384", "ES384");
    }

    @Test
    public void tokenRefreshRequest_ClientPS512_RealmPS256() throws Exception {
        conductTokenRefreshRequest("HS256", "PS512", "PS256");
    }

    protected Response executeRefreshToken(WebTarget webTarget, String str) {
        String createHeader = BasicAuthHelper.createHeader(AssertEvents.DEFAULT_CLIENT_ID, "password");
        Form form = new Form();
        form.param("grant_type", "refresh_token");
        form.param("refresh_token", str);
        return webTarget.request().header("Authorization", createHeader).post(Entity.form(form));
    }

    protected Response executeGrantAccessTokenRequest(WebTarget webTarget) {
        String createHeader = BasicAuthHelper.createHeader(AssertEvents.DEFAULT_CLIENT_ID, "password");
        Form form = new Form();
        form.param("grant_type", "password").param("username", AssertEvents.DEFAULT_USERNAME).param("password", "password");
        return webTarget.request().header("Authorization", createHeader).post(Entity.form(form));
    }

    private void conductTokenRefreshRequest(String str, String str2, String str3) throws Exception {
        try {
            TokenSignatureUtil.changeRealmTokenSignatureProvider(this.adminClient, str3);
            TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID), str2);
            refreshToken(str, str2, str3);
            TokenSignatureUtil.changeRealmTokenSignatureProvider(this.adminClient, "RS256");
            TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID), "RS256");
        } catch (Throwable th) {
            TokenSignatureUtil.changeRealmTokenSignatureProvider(this.adminClient, "RS256");
            TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID), "RS256");
            throw th;
        }
    }

    private void refreshToken(String str, String str2, String str3) throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str4 = (String) assertEvent.getDetails().get("code_id");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        JWSHeader header = new JWSInput(doAccessTokenRequest.getAccessToken()).getHeader();
        Assert.assertEquals(str2, header.getAlgorithm().name());
        Assert.assertEquals("JWT", header.getType());
        Assert.assertNull(header.getContentType());
        JWSHeader header2 = new JWSInput(doAccessTokenRequest.getIdToken()).getHeader();
        Assert.assertEquals(str3, header2.getAlgorithm().name());
        Assert.assertEquals("JWT", header2.getType());
        Assert.assertNull(header2.getContentType());
        JWSHeader header3 = new JWSInput(doAccessTokenRequest.getRefreshToken()).getHeader();
        Assert.assertEquals(str, header3.getAlgorithm().name());
        Assert.assertEquals("JWT", header3.getType());
        Assert.assertNull(header3.getContentType());
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        String refreshToken = doAccessTokenRequest.getRefreshToken();
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(refreshToken);
        EventRepresentation assertEvent2 = this.events.expectCodeToToken(str4, sessionId).assertEvent();
        Assert.assertNotNull(refreshToken);
        Assert.assertEquals("Bearer", doAccessTokenRequest.getTokenType());
        Assert.assertEquals(sessionId, parseRefreshToken.getSessionState());
        setTimeOffset(2);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(refreshToken, "password");
        if (doRefreshTokenRequest.getError() != null || doRefreshTokenRequest.getErrorDescription() != null) {
            this.log.debugf("Refresh token error: %s, error description: %s", doRefreshTokenRequest.getError(), doRefreshTokenRequest.getErrorDescription());
        }
        AccessToken verifyToken2 = this.oauth.verifyToken(doRefreshTokenRequest.getAccessToken());
        RefreshToken parseRefreshToken2 = this.oauth.parseRefreshToken(doRefreshTokenRequest.getRefreshToken());
        Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
        Assert.assertEquals(sessionId, verifyToken2.getSessionState());
        Assert.assertEquals(sessionId, parseRefreshToken2.getSessionState());
        Assert.assertNotEquals(verifyToken.getId(), verifyToken2.getId());
        Assert.assertNotEquals(parseRefreshToken.getId(), parseRefreshToken2.getId());
        Assert.assertEquals("Bearer", doRefreshTokenRequest.getTokenType());
        Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME).getId(), verifyToken2.getSubject());
        Assert.assertNotEquals(AssertEvents.DEFAULT_USERNAME, verifyToken2.getSubject());
        EventRepresentation assertEvent3 = this.events.expectRefresh((String) assertEvent2.getDetails().get("refresh_token_id"), sessionId).assertEvent();
        Assert.assertNotEquals(assertEvent2.getDetails().get("token_id"), assertEvent3.getDetails().get("token_id"));
        Assert.assertNotEquals(assertEvent2.getDetails().get("refresh_token_id"), assertEvent3.getDetails().get("updated_refresh_token_id"));
        setTimeOffset(0);
    }

    private String loginAndForceNewLoginPage() {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String sessionId = this.events.expectLogin().assertEvent().getSessionId();
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        this.events.poll();
        String refreshToken = doAccessTokenRequest.getRefreshToken();
        processExpectedValidRefresh(sessionId, this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken()), refreshToken);
        setTimeOffset(1);
        this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).queryParam("prompt", new Object[]{"login"}).build(new Object[0]).toString());
        this.loginPage.assertCurrent();
        return refreshToken;
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case -221610329:
                if (implMethodName.equals("lambda$refreshTokenAfterUserAdminLogoutEndpointAndLoginAgain$26a8868a$1")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/oauth/RefreshTokenTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return keycloakSession2 -> {
                        RealmModel realmByName = keycloakSession2.realms().getRealmByName("test");
                        keycloakSession2.users().setNotBeforeForUser(realmByName, keycloakSession2.users().getUserByUsername(realmByName, AssertEvents.DEFAULT_USERNAME), 0);
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
