package org.keycloak.testsuite.client;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.core.Response;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.impl.client.CloseableHttpClient;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Ignore;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.client.registration.ClientRegistrationException;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.Time;
import org.keycloak.events.EventType;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelRequest;
import org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelResponse;
import org.keycloak.protocol.oidc.grants.ciba.clientpolicy.executor.SecureCibaSignedAuthenticationRequestExecutor;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.oidc.OIDCClientRepresentation;
import org.keycloak.representations.oidc.TokenMetadataRepresentation;
import org.keycloak.services.Urls;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
import org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource;
import org.keycloak.testsuite.oauth.OAuthGrantTest;
import org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest;
import org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource;
import org.keycloak.testsuite.util.ClientPoliciesUtil;
import org.keycloak.testsuite.util.InfinispanTestTimeServiceRule;
import org.keycloak.testsuite.util.KeycloakModelUtils;
import org.keycloak.testsuite.util.MutualTLSUtils;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.ServerURLs;
import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.util.JsonSerialization;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/client/CIBATest.class */
public class CIBATest extends AbstractClientPoliciesTest {
    private static final String TEST_USER_NAME = "test-user@localhost";
    private static final String ERR_MSG_CLIENT_REG_FAIL = "Failed to send request";
    private String cibaBackchannelTokenDeliveryMode;
    private Integer cibaExpiresIn;
    private Integer cibaInterval;
    private String cibaAuthRequestedUserHint;
    private final String SECOND_TEST_CLIENT_NAME = "test-second-client";
    private final String SECOND_TEST_CLIENT_SECRET = "passwort-test-second-client";

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Rule
    public InfinispanTestTimeServiceRule ispnTestTimeService = new InfinispanTestTimeServiceRule(this);
    private final String TEST_REALM_NAME = "test";
    private final String TEST_CLIENT_NAME = AssertEvents.DEFAULT_CLIENT_ID;
    private final String TEST_CLIENT_PASSWORD = "password";

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmRepresentation realmRepresentation = (RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class);
        realmRepresentation.getUsers().add(UserBuilder.create().username("nutzername-schwarz").email("schwarz@test.example.com").enabled(true).password("passwort-schwarz").addRoles("user", "offline_access").build());
        realmRepresentation.getUsers().add(UserBuilder.create().username("nutzername-rot").email("rot@test.example.com").enabled(true).password("passwort-rot").addRoles("user", "offline_access").build());
        realmRepresentation.getUsers().add(UserBuilder.create().username("nutzername-gelb").email("gelb@test.example.com").enabled(true).password("passwort-gelb").addRoles("user", "offline_access").build());
        realmRepresentation.getUsers().add(UserBuilder.create().username("nutzername-deaktiviert").email("deaktiviert@test.example.com").enabled(false).password("passwort-deaktiviert").addRoles("user", "offline_access").build());
        ClientRepresentation createClient = KeycloakModelUtils.createClient(realmRepresentation, "test-second-client");
        createClient.setSecret("passwort-test-second-client");
        createClient.setServiceAccountsEnabled(Boolean.TRUE);
        list.add(realmRepresentation);
    }

    @Test
    public void testAttackerClientUseVictimAuthReqIdAttack() throws Exception {
        ClientResource clientResource = null;
        ClientResource clientResource2 = null;
        ClientRepresentation clientRepresentation = null;
        ClientRepresentation clientRepresentation2 = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), "test-app-scope");
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            clientResource2 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            clientRepresentation2 = clientResource2.toRepresentation();
            prepareCIBASettings(clientResource2, clientRepresentation2);
            String authReqId = doBackchannelAuthenticationRequest("test-app-scope", "password", "nutzername-gelb", "asdfghjkl").getAuthReqId();
            doAuthenticationChannelCallback(doAuthenticationChannelRequest("asdfghjkl"));
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", authReqId);
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getError(), Matchers.is(Matchers.equalTo("invalid_grant")));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getErrorDescription(), Matchers.is(Matchers.equalTo("unauthorized client")));
            revertCIBASettings(clientResource, clientRepresentation);
            revertCIBASettings(clientResource2, clientRepresentation2);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            revertCIBASettings(clientResource2, clientRepresentation2);
            throw th;
        }
    }

    @Test
    public void testAttackerClientUseAuthReqIdInCallbackEndpoint() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "BASTION");
            MatcherAssert.assertThat(Integer.valueOf(this.oauth.doAuthenticationChannelCallback(doBackchannelAuthenticationRequest.getAuthReqId(), AuthenticationChannelResponse.Status.SUCCEED)), Matchers.is(Matchers.equalTo(403)));
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", doBackchannelAuthenticationRequest.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getError(), Matchers.is(Matchers.equalTo("authorization_pending")));
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    @Test
    public void testAuthenticationChannelUnexpectedError() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            this.oauth.scope("offline_access");
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "GODOWN", (String) null);
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest.getStatusCode()), Matchers.is(Matchers.equalTo(503)));
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", doBackchannelAuthenticationRequest.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getError(), Matchers.is(Matchers.equalTo("invalid_grant")));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getErrorDescription(), Matchers.is(Matchers.equalTo("Invalid Auth Req ID")));
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    @Test
    public void testBackchannelAuthnReqWithDeactivatedUser() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            this.oauth.scope("offline_access");
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-deaktiviert", (String) null, "acr2");
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest.getError(), Matchers.is("invalid_request"));
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    @Test
    public void testBackchannelAuthnReqWithUnknownUser() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            this.oauth.scope("offline_access");
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "Unbekannt", "BASTION", "urn:mace:incommon:iap:silver urn:mace:incommon:iap:gold");
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest.getError(), Matchers.is("invalid_request"));
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    @Test
    public void testBackchannelAuthnReqWithoutLoginHint() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            this.oauth.scope("offline_access");
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", (String) null, "BASTION", "ACR1");
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest.getError(), Matchers.is("invalid_request"));
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    @Test
    public void testLoginHintTokenRequiredButNotSend() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            RealmRepresentation backupCIBAPolicy = backupCIBAPolicy();
            Map map = (Map) Optional.ofNullable(backupCIBAPolicy.getAttributes()).orElse(new HashMap());
            map.put("cibaAuthRequestedUserHint", "login_hint_token");
            backupCIBAPolicy.setAttributes(map);
            testRealm().update(backupCIBAPolicy);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-schwarz", (String) null, (String) null);
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest.getError(), Matchers.is("invalid_request"));
            revertCIBASettings(clientResource, clientRepresentation);
            restoreCIBAPolicy();
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            restoreCIBAPolicy();
            throw th;
        }
    }

    @Test
    @Ignore("Should never happen because the AD does not send any information about the user but only the status of the authentication")
    public void testDifferentUserAuthenticated() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            this.oauth.scope("offline_access");
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "BASTION");
            MatcherAssert.assertThat(doAuthenticationChannelRequest("BASTION").getRequest().getScope(), Matchers.is(Matchers.containsString("offline_access")));
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", doBackchannelAuthenticationRequest.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getError(), Matchers.is("invalid_grant"));
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    @Test
    public void testTokenRevocation() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            this.oauth.scope("offline_access");
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "BASTION");
            TestAuthenticationChannelRequest doAuthenticationChannelRequest = doAuthenticationChannelRequest("BASTION");
            MatcherAssert.assertThat(doAuthenticationChannelRequest.getRequest().getScope(), Matchers.is(Matchers.containsString("offline_access")));
            EventRepresentation doAuthenticationChannelCallback = doAuthenticationChannelCallback(doAuthenticationChannelRequest);
            String sessionId = doAuthenticationChannelCallback.getSessionId();
            String userId = doAuthenticationChannelCallback.getUserId();
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = doBackchannelAuthenticationTokenRequest("nutzername-rot", doBackchannelAuthenticationRequest.getAuthReqId());
            doIntrospectAccessTokenWithClientCredential(doBackchannelAuthenticationTokenRequest, "nutzername-rot");
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = doRefreshTokenRequest(doBackchannelAuthenticationTokenRequest.getRefreshToken(), "nutzername-rot", sessionId, true);
            doIntrospectAccessTokenWithClientCredential(doRefreshTokenRequest, "nutzername-rot");
            doTokenRevokeByRefreshToken(doRefreshTokenRequest.getRefreshToken(), sessionId, userId, true);
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    @Test
    public void testChangeInterval() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-schwarz", "lbies8e").getInterval()), Matchers.is(Matchers.equalTo(5)));
            doAuthenticationChannelRequest("lbies8e");
            RealmRepresentation backupCIBAPolicy = backupCIBAPolicy();
            Map map = (Map) Optional.ofNullable(backupCIBAPolicy.getAttributes()).orElse(new HashMap());
            map.put("cibaExpiresIn", String.valueOf(1200));
            map.put("cibaInterval", String.valueOf(10));
            backupCIBAPolicy.setAttributes(map);
            testRealm().update(backupCIBAPolicy);
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "Keb9eser").getInterval()), Matchers.is(Matchers.equalTo(10)));
            doAuthenticationChannelRequest("Keb9eser");
            revertCIBASettings(clientResource, clientRepresentation);
            restoreCIBAPolicy();
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            restoreCIBAPolicy();
            throw th;
        }
    }

    @Test
    public void testAccessThrottling() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            RealmRepresentation backupCIBAPolicy = backupCIBAPolicy();
            Map map = (Map) Optional.ofNullable(backupCIBAPolicy.getAttributes()).orElse(new HashMap());
            map.put("cibaInterval", String.valueOf(3));
            backupCIBAPolicy.setAttributes(map);
            testRealm().update(backupCIBAPolicy);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "BASTION");
            TestAuthenticationChannelRequest doAuthenticationChannelRequest = doAuthenticationChannelRequest("BASTION");
            MatcherAssert.assertThat(doAuthenticationChannelRequest.getRequest().getBindingMessage(), Matchers.is(Matchers.equalTo("BASTION")));
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", doBackchannelAuthenticationRequest.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getError(), Matchers.is("authorization_pending"));
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest2 = this.oauth.doBackchannelAuthenticationTokenRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", doBackchannelAuthenticationRequest.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest2.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest2.getError(), Matchers.is("slow_down"));
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest3 = this.oauth.doBackchannelAuthenticationTokenRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", doBackchannelAuthenticationRequest.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest3.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest3.getError(), Matchers.is("slow_down"));
            EventRepresentation doAuthenticationChannelCallback = doAuthenticationChannelCallback(doAuthenticationChannelRequest);
            String sessionId = doAuthenticationChannelCallback.getSessionId();
            String userId = doAuthenticationChannelCallback.getUserId();
            setTimeOffset(3);
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest4 = doBackchannelAuthenticationTokenRequest("nutzername-rot", doBackchannelAuthenticationRequest.getAuthReqId());
            doIntrospectAccessTokenWithClientCredential(doBackchannelAuthenticationTokenRequest4, "nutzername-rot");
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = doRefreshTokenRequest(doBackchannelAuthenticationTokenRequest4.getRefreshToken(), "nutzername-rot", sessionId, false);
            doIntrospectAccessTokenWithClientCredential(doRefreshTokenRequest, "nutzername-rot");
            doTokenRevokeByRefreshToken(doRefreshTokenRequest.getRefreshToken(), sessionId, userId, false);
            revertCIBASettings(clientResource, clientRepresentation);
            restoreCIBAPolicy();
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            restoreCIBAPolicy();
            throw th;
        }
    }

    @Test
    public void testTokenRequestAfterIntervalButNotYetAuthenticated() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            RealmRepresentation backupCIBAPolicy = backupCIBAPolicy();
            Map map = (Map) Optional.ofNullable(backupCIBAPolicy.getAttributes()).orElse(new HashMap());
            map.put("cibaInterval", String.valueOf(5));
            backupCIBAPolicy.setAttributes(map);
            testRealm().update(backupCIBAPolicy);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "BASTION");
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", doBackchannelAuthenticationRequest.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getError(), Matchers.is("authorization_pending"));
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest2 = this.oauth.doBackchannelAuthenticationTokenRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", doBackchannelAuthenticationRequest.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest2.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest2.getError(), Matchers.is("slow_down"));
            TestAuthenticationChannelRequest doAuthenticationChannelRequest = doAuthenticationChannelRequest("BASTION");
            MatcherAssert.assertThat(doAuthenticationChannelRequest.getRequest().getBindingMessage(), Matchers.is(Matchers.equalTo("BASTION")));
            EventRepresentation doAuthenticationChannelCallback = doAuthenticationChannelCallback(doAuthenticationChannelRequest);
            String sessionId = doAuthenticationChannelCallback.getSessionId();
            String userId = doAuthenticationChannelCallback.getUserId();
            setTimeOffset(5);
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest3 = doBackchannelAuthenticationTokenRequest("nutzername-rot", doBackchannelAuthenticationRequest.getAuthReqId());
            doIntrospectAccessTokenWithClientCredential(doBackchannelAuthenticationTokenRequest3, "nutzername-rot");
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = doRefreshTokenRequest(doBackchannelAuthenticationTokenRequest3.getRefreshToken(), "nutzername-rot", sessionId, false);
            doIntrospectAccessTokenWithClientCredential(doRefreshTokenRequest, "nutzername-rot");
            doTokenRevokeByRefreshToken(doRefreshTokenRequest.getRefreshToken(), sessionId, userId, false);
            revertCIBASettings(clientResource, clientRepresentation);
            restoreCIBAPolicy();
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            restoreCIBAPolicy();
            throw th;
        }
    }

    @Test
    public void testCIBAPolicy() {
        try {
            RealmRepresentation backupCIBAPolicy = backupCIBAPolicy();
            Map map = (Map) Optional.ofNullable(backupCIBAPolicy.getAttributes()).orElse(new HashMap());
            map.put("cibaBackchannelTokenDeliveryMode", null);
            map.put("cibaExpiresIn", null);
            map.put("cibaInterval", null);
            map.put("cibaAuthRequestedUserHint", null);
            backupCIBAPolicy.setAttributes(map);
            testRealm().update(backupCIBAPolicy);
            Map map2 = (Map) Optional.ofNullable(testRealm().toRepresentation().getAttributes()).orElse(new HashMap());
            MatcherAssert.assertThat(map2.get("cibaBackchannelTokenDeliveryMode"), Matchers.is(Matchers.equalTo("poll")));
            MatcherAssert.assertThat(Integer.valueOf(Integer.parseInt((String) map2.get("cibaExpiresIn"))), Matchers.is(Matchers.equalTo(120)));
            MatcherAssert.assertThat(Integer.valueOf(Integer.parseInt((String) map2.get("cibaInterval"))), Matchers.is(Matchers.equalTo(5)));
            MatcherAssert.assertThat(map2.get("cibaAuthRequestedUserHint"), Matchers.is(Matchers.equalTo("login_hint")));
            RealmRepresentation backupCIBAPolicy2 = backupCIBAPolicy();
            Map map3 = (Map) Optional.ofNullable(backupCIBAPolicy2.getAttributes()).orElse(new HashMap());
            map3.put("cibaBackchannelTokenDeliveryMode", "poll");
            map3.put("cibaExpiresIn", String.valueOf(736));
            map3.put("cibaInterval", String.valueOf(7));
            map3.put("cibaAuthRequestedUserHint", "login_hint");
            backupCIBAPolicy2.setAttributes(map3);
            testRealm().update(backupCIBAPolicy2);
            testRealm().toRepresentation();
            MatcherAssert.assertThat(map3.get("cibaBackchannelTokenDeliveryMode"), Matchers.is(Matchers.equalTo("poll")));
            MatcherAssert.assertThat(Integer.valueOf(Integer.parseInt((String) map3.get("cibaExpiresIn"))), Matchers.is(Matchers.equalTo(736)));
            MatcherAssert.assertThat(Integer.valueOf(Integer.parseInt((String) map3.get("cibaInterval"))), Matchers.is(Matchers.equalTo(7)));
            MatcherAssert.assertThat(map3.get("cibaAuthRequestedUserHint"), Matchers.is(Matchers.equalTo("login_hint")));
        } finally {
            restoreCIBAPolicy();
        }
    }

    @Test
    public void testBackchannelAuthenticationFlow() throws Exception {
        testBackchannelAuthenticationFlow(false);
    }

    @Test
    public void testBackchannelAuthenticationFlowOfflineAccess() throws Exception {
        testBackchannelAuthenticationFlow(true);
    }

    @Test
    public void testBackchannelAuthenticationFlowWithoutBindingMessage() throws Exception {
        testBackchannelAuthenticationFlow(false, null);
    }

    @Test
    public void testBackchannelAuthenticationFlowOfflineAccessWithoutBindingMessage() throws Exception {
        testBackchannelAuthenticationFlow(true, null);
    }

    @Test
    public void testBackchannelClientValidations() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            MatcherAssert.assertThat(clientResource, Matchers.notNullValue());
            ClientRepresentation representation = clientResource.toRepresentation();
            Map map = (Map) Optional.ofNullable(representation.getAttributes()).orElse(new HashMap());
            try {
                map.put("ciba.backchannel.token.delivery.mode", "ping");
                map.put("ciba.backchannel.client.notification.endpoint", null);
                map.put("oidc.ciba.grant.enabled", Boolean.TRUE.toString());
                representation.setAttributes(map);
                clientResource.update(representation);
                Assert.fail("Not expected to successfully update client");
            } catch (BadRequestException e) {
            }
            map.put("ciba.backchannel.client.notification.endpoint", TestApplicationResourceUrls.cibaClientNotificationEndpointUri());
            clientResource.update(representation);
            ClientRepresentation representation2 = clientResource.toRepresentation();
            Map map2 = (Map) Optional.ofNullable(representation2.getAttributes()).orElse(new HashMap());
            Assert.assertEquals("ping", map2.get("ciba.backchannel.token.delivery.mode"));
            Assert.assertEquals(TestApplicationResourceUrls.cibaClientNotificationEndpointUri(), map2.get("ciba.backchannel.client.notification.endpoint"));
            try {
                map2.put("ciba.backchannel.token.delivery.mode", "push");
                clientResource.update(representation2);
                Assert.fail("Not expected to successfully update client");
            } catch (BadRequestException e2) {
            }
            try {
                map2.put("ciba.backchannel.token.delivery.mode", "ping");
                map2.put("ciba.backchannel.auth.request.signing.alg", "HS256");
                clientResource.update(representation2);
                Assert.fail("Not expected to successfully update client");
            } catch (BadRequestException e3) {
            }
            map2.put("ciba.backchannel.auth.request.signing.alg", "PS256");
            clientResource.update(representation2);
            clientRepresentation = clientResource.toRepresentation();
            Map map3 = (Map) Optional.ofNullable(clientRepresentation.getAttributes()).orElse(new HashMap());
            Assert.assertEquals("PS256", map3.get("ciba.backchannel.auth.request.signing.alg"));
            map3.remove("ciba.backchannel.auth.request.signing.alg");
            clientResource.update(clientRepresentation);
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    @Test
    public void testPingMode_requestWithInvalidClientNotificationShouldFail() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            MatcherAssert.assertThat(clientResource, Matchers.notNullValue());
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation, "ping");
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "BASTION_PING", (String) null, (String) null, Collections.emptyMap());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest.getError(), Matchers.is("invalid_request"));
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest2 = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "BASTION_PING", (String) null, "123456789123456789123465789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789_123456789123456789123465789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789_123456789123456789123465789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789_123456789123456789123465789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789_123456789123456789123465789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789_123456789123456789123465789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789_123456789123456789123465789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789_123456789123456789123465789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789_123456789123456789123465789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789_123456789123456789123465789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789_123456789123456789123465789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789_123456789123456789123465789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789", Collections.emptyMap());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest2.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest2.getError(), Matchers.is("invalid_request"));
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    @Test
    public void testPingModeSuccess() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            HashMap hashMap = new HashMap();
            hashMap.put("user_device", "mobile");
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            MatcherAssert.assertThat(clientResource, Matchers.notNullValue());
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation, "ping");
            long currentTime = Time.currentTime();
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "BASTION_PING", "client-notification-token-1", hashMap);
            Assert.assertTrue(doBackchannelAuthenticationRequest.getInterval() > 0);
            TestAuthenticationChannelRequest doAuthenticationChannelRequest = doAuthenticationChannelRequest("BASTION_PING");
            AuthenticationChannelRequest request = doAuthenticationChannelRequest.getRequest();
            MatcherAssert.assertThat(request.getBindingMessage(), Matchers.is(Matchers.equalTo("BASTION_PING")));
            MatcherAssert.assertThat(request.getScope(), Matchers.is(Matchers.containsString("openid")));
            MatcherAssert.assertThat(request.getAdditionalParameters().get("user_device"), Matchers.is(Matchers.equalTo("mobile")));
            Assert.assertNull(this.testingClient.testApp().oidcClientEndpoints().getPushedCibaClientNotification("client-notification-token-1").getAuthReqId());
            EventRepresentation doAuthenticationChannelCallback = doAuthenticationChannelCallback(doAuthenticationChannelRequest);
            String sessionId = doAuthenticationChannelCallback.getSessionId();
            String userId = doAuthenticationChannelCallback.getUserId();
            Assert.assertEquals(this.testingClient.testApp().oidcClientEndpoints().getPushedCibaClientNotification("client-notification-token-1").getAuthReqId(), doBackchannelAuthenticationRequest.getAuthReqId());
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = doBackchannelAuthenticationTokenRequest("nutzername-rot", doBackchannelAuthenticationRequest.getAuthReqId());
            IDToken verifyIDToken = this.oauth.verifyIDToken(doBackchannelAuthenticationTokenRequest.getIdToken());
            long currentTime2 = Time.currentTime();
            long longValue = verifyIDToken.getAuth_time().longValue();
            Assert.assertTrue(currentTime - 5 <= longValue);
            Assert.assertTrue(longValue <= currentTime2 + 5);
            doIntrospectAccessTokenWithClientCredential(doBackchannelAuthenticationTokenRequest, "nutzername-rot");
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = doRefreshTokenRequest(doBackchannelAuthenticationTokenRequest.getRefreshToken(), "nutzername-rot", sessionId, false);
            doIntrospectAccessTokenWithClientCredential(doRefreshTokenRequest, "nutzername-rot");
            doLogoutByRefreshToken(doRefreshTokenRequest.getRefreshToken(), sessionId, userId, false);
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    @Test
    public void testPingMode_clientNotificationSentEvenForUserCancel() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            MatcherAssert.assertThat(clientResource, Matchers.notNullValue());
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation, "ping");
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "kwq26rfjs73", "client-notification-some", Collections.emptyMap());
            doAuthenticationChannelCallbackError(Response.Status.OK, AssertEvents.DEFAULT_CLIENT_ID, doAuthenticationChannelRequest("kwq26rfjs73"), AuthenticationChannelResponse.Status.CANCELLED, "nutzername-rot", "not_allowed");
            Assert.assertEquals(this.testingClient.testApp().oidcClientEndpoints().getPushedCibaClientNotification("client-notification-some").getAuthReqId(), doBackchannelAuthenticationRequest.getAuthReqId());
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest("password", doBackchannelAuthenticationRequest.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(Integer.valueOf(Response.Status.BAD_REQUEST.getStatusCode()))));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getError(), Matchers.is("access_denied"));
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    @Test
    public void testMultipleUsersBackchannelAuthenticationFlows() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            String authReqId = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-schwarz", "Pjb9eD8w").getAuthReqId();
            EventRepresentation doAuthenticationChannelCallback = doAuthenticationChannelCallback(doAuthenticationChannelRequest("Pjb9eD8w"));
            doAuthenticationChannelCallback.getSessionId();
            String authReqId2 = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "dEkg8vDdsl").getAuthReqId();
            EventRepresentation doAuthenticationChannelCallback2 = doAuthenticationChannelCallback(doAuthenticationChannelRequest("dEkg8vDdsl"));
            doAuthenticationChannelCallback2.getSessionId();
            doBackchannelAuthenticationTokenRequest("nutzername-rot", authReqId2);
            doBackchannelAuthenticationTokenRequest("nutzername-schwarz", authReqId);
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    @Test
    public void testExplicitConsentRequiredBackchannelAuthenticationFlows() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), OAuthGrantTest.THIRD_PARTY_APP);
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            String authReqId = doBackchannelAuthenticationRequest(OAuthGrantTest.THIRD_PARTY_APP, "password", "nutzername-gelb", "asdfghjkl").getAuthReqId();
            TestAuthenticationChannelRequest doAuthenticationChannelRequest = doAuthenticationChannelRequest("asdfghjkl");
            Assert.assertTrue(doAuthenticationChannelRequest.getRequest().getConsentRequired().booleanValue());
            MatcherAssert.assertThat(doAuthenticationChannelRequest.getRequest().getScope(), Matchers.is(Matchers.containsString("openid")));
            MatcherAssert.assertThat(doAuthenticationChannelRequest.getRequest().getScope(), Matchers.is(Matchers.containsString("email")));
            MatcherAssert.assertThat(doAuthenticationChannelRequest.getRequest().getScope(), Matchers.is(Matchers.containsString("profile")));
            MatcherAssert.assertThat(doAuthenticationChannelRequest.getRequest().getScope(), Matchers.is(Matchers.containsString("roles")));
            EventRepresentation doAuthenticationChannelCallback = doAuthenticationChannelCallback(doAuthenticationChannelRequest);
            doAuthenticationChannelCallback.getSessionId();
            doBackchannelAuthenticationTokenRequest(OAuthGrantTest.THIRD_PARTY_APP, "password", "nutzername-gelb", authReqId);
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    @Test
    public void testMultipleClientsBackchannelAuthenticationFlows() throws Exception {
        ClientResource clientResource = null;
        ClientResource clientResource2 = null;
        ClientRepresentation clientRepresentation = null;
        ClientRepresentation clientRepresentation2 = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), "test-app-scope");
            MatcherAssert.assertThat(clientResource, Matchers.notNullValue());
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            clientResource2 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            MatcherAssert.assertThat(clientResource2, Matchers.notNullValue());
            clientRepresentation2 = clientResource2.toRepresentation();
            prepareCIBASettings(clientResource2, clientRepresentation2);
            String authReqId = doBackchannelAuthenticationRequest("test-app-scope", "password", "nutzername-gelb", "asdfghjkl").getAuthReqId();
            doAuthenticationChannelCallback(doAuthenticationChannelRequest("asdfghjkl"));
            String authReqId2 = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-gelb", "qwertyui").getAuthReqId();
            doAuthenticationChannelCallback(doAuthenticationChannelRequest("qwertyui"));
            doBackchannelAuthenticationTokenRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-gelb", authReqId2);
            doBackchannelAuthenticationTokenRequest("test-app-scope", "password", "nutzername-gelb", authReqId);
            revertCIBASettings(clientResource, clientRepresentation);
            revertCIBASettings(clientResource2, clientRepresentation2);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            revertCIBASettings(clientResource2, clientRepresentation2);
            throw th;
        }
    }

    @Test
    public void testRequestTokenBeforeAuthenticationNotCompleted() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            MatcherAssert.assertThat(clientResource, Matchers.notNullValue());
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "kvoDKw98");
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest("password", doBackchannelAuthenticationRequest.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getError(), Matchers.is("authorization_pending"));
            doAuthenticationChannelCallback(doAuthenticationChannelRequest("kvoDKw98"));
            setTimeOffset(6);
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest2 = this.oauth.doBackchannelAuthenticationTokenRequest("password", doBackchannelAuthenticationRequest.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest2.getStatusCode()), Matchers.is(Matchers.equalTo(200)));
            MatcherAssert.assertThat(this.oauth.verifyIDToken(doBackchannelAuthenticationTokenRequest2.getIdToken()).getPreferredUsername(), Matchers.is(Matchers.equalTo("nutzername-rot")));
            MatcherAssert.assertThat(this.oauth.verifyToken(doBackchannelAuthenticationTokenRequest2.getAccessToken()), Matchers.notNullValue());
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    @Test
    public void testRequestTokenAfterAuthReqIdExpired() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            MatcherAssert.assertThat(clientResource, Matchers.notNullValue());
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            RealmRepresentation backupCIBAPolicy = backupCIBAPolicy();
            Map map = (Map) Optional.ofNullable(backupCIBAPolicy.getAttributes()).orElse(new HashMap());
            map.put("cibaExpiresIn", String.valueOf(60));
            backupCIBAPolicy.setAttributes(map);
            testRealm().update(backupCIBAPolicy);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "obkes8dke1");
            doAuthenticationChannelCallback(doAuthenticationChannelRequest("obkes8dke1"));
            setTimeOffset(70);
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest("password", doBackchannelAuthenticationRequest.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getError(), Matchers.is("expired_token"));
            revertCIBASettings(clientResource, clientRepresentation);
            restoreCIBAPolicy();
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            restoreCIBAPolicy();
            throw th;
        }
    }

    @Test
    public void testCallbackAfterAuthenticationRequestExpired() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            MatcherAssert.assertThat(clientResource, Matchers.notNullValue());
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            RealmRepresentation backupCIBAPolicy = backupCIBAPolicy();
            Map map = (Map) Optional.ofNullable(backupCIBAPolicy.getAttributes()).orElse(new HashMap());
            map.put("cibaExpiresIn", String.valueOf(60));
            backupCIBAPolicy.setAttributes(map);
            testRealm().update(backupCIBAPolicy);
            doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "3FIekcs9");
            TestAuthenticationChannelRequest doAuthenticationChannelRequest = doAuthenticationChannelRequest("3FIekcs9");
            setTimeOffset(70);
            MatcherAssert.assertThat(Integer.valueOf(this.oauth.doAuthenticationChannelCallback(doAuthenticationChannelRequest.getBearerToken(), AuthenticationChannelResponse.Status.SUCCEED)), Matchers.is(Matchers.equalTo(Integer.valueOf(Response.Status.FORBIDDEN.getStatusCode()))));
            this.events.expect(EventType.LOGIN_ERROR).clearDetails().client((String) null).error("invalid_token").user((String) null).session(CoreMatchers.nullValue(String.class)).assertEvent();
            revertCIBASettings(clientResource, clientRepresentation);
            restoreCIBAPolicy();
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            restoreCIBAPolicy();
            throw th;
        }
    }

    @Test
    public void testDuplicatedTokenRequestWithSameAuthReqId() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            MatcherAssert.assertThat(clientResource, Matchers.notNullValue());
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-gelb", "kciwje86");
            doAuthenticationChannelCallback(doAuthenticationChannelRequest("kciwje86"));
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest("password", doBackchannelAuthenticationRequest.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(200)));
            MatcherAssert.assertThat(this.oauth.verifyIDToken(doBackchannelAuthenticationTokenRequest.getIdToken()).getPreferredUsername(), Matchers.is(Matchers.equalTo("nutzername-gelb")));
            this.oauth.verifyToken(doBackchannelAuthenticationTokenRequest.getAccessToken());
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest2 = this.oauth.doBackchannelAuthenticationTokenRequest("password", doBackchannelAuthenticationRequest.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest2.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest2.getError(), Matchers.is("invalid_grant"));
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    @Test
    public void testOtherClientSendTokenRequest() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            MatcherAssert.assertThat(clientResource, Matchers.notNullValue());
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "ldkq366");
            doAuthenticationChannelCallback(doAuthenticationChannelRequest("ldkq366"));
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest("test-second-client", "passwort-test-second-client", doBackchannelAuthenticationRequest.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getError(), Matchers.is("invalid_grant"));
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    @Test
    public void testAuthenticationChannelUnauthorized() throws Exception {
        testAuthenticationChannelErrorCase(Response.Status.OK, Response.Status.BAD_REQUEST, AuthenticationChannelResponse.Status.UNAUTHORIZED, "access_denied", "consent_denied");
    }

    @Test
    public void testAuthenticationChannelCancelled() throws Exception {
        testAuthenticationChannelErrorCase(Response.Status.OK, Response.Status.BAD_REQUEST, AuthenticationChannelResponse.Status.CANCELLED, "access_denied", "not_allowed");
    }

    @Test
    public void testAuthenticationChannelUnknown() throws Exception {
        testAuthenticationChannelErrorCase(Response.Status.BAD_REQUEST, Response.Status.BAD_REQUEST, null, "authorization_pending", "invalid_request");
    }

    @Test
    public void testInvalidConsumptionDeviceRegistration() throws Exception {
        try {
            createClientDynamically("invalid-CIBA-CD", oIDCClientRepresentation -> {
                oIDCClientRepresentation.setBackchannelTokenDeliveryMode("pushpush");
            });
            Assert.fail();
        } catch (ClientRegistrationException e) {
            Assert.assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage());
        }
    }

    @Test
    public void testCibaGrantDeactivated() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            MatcherAssert.assertThat(findClientByClientId, Matchers.notNullValue());
            ClientRepresentation representation = findClientByClientId.toRepresentation();
            Map map = (Map) Optional.ofNullable(representation.getAttributes()).orElse(new HashMap());
            map.put("ciba.backchannel.token.delivery.mode", "poll");
            map.put("oidc.ciba.grant.enabled", null);
            map.put("ciba.backchannel.auth.request.signing.alg", "RS256");
            representation.setAttributes(map);
            findClientByClientId.update(representation);
            ClientRepresentation representation2 = findClientByClientId.toRepresentation();
            Assert.assertNull(representation2.getAttributes().get("oidc.ciba.grant.enabled"));
            Assert.assertThat(representation2.getAttributes().get("ciba.backchannel.auth.request.signing.alg"), Matchers.is("RS256"));
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "gilwekDe3", "acr2");
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest.getStatusCode()), Matchers.is(Matchers.equalTo(401)));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest.getError(), Matchers.is("invalid_grant"));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest.getErrorDescription(), Matchers.is("Client not allowed OIDC CIBA Grant"));
            ClientResource findClientByClientId2 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            MatcherAssert.assertThat(findClientByClientId2, Matchers.notNullValue());
            ClientRepresentation representation3 = findClientByClientId2.toRepresentation();
            Map attributes = representation3.getAttributes();
            attributes.put("oidc.ciba.grant.enabled", Boolean.TRUE.toString());
            attributes.put("ciba.backchannel.auth.request.signing.alg", "ES256");
            representation3.setAttributes(attributes);
            findClientByClientId2.update(representation3);
            ClientRepresentation representation4 = findClientByClientId2.toRepresentation();
            Assert.assertThat(representation4.getAttributes().get("oidc.ciba.grant.enabled"), Matchers.is(Boolean.TRUE.toString()));
            Assert.assertThat(representation4.getAttributes().get("ciba.backchannel.auth.request.signing.alg"), Matchers.is("ES256"));
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest2 = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "Fkb4T3s");
            doAuthenticationChannelCallback(doAuthenticationChannelRequest("Fkb4T3s"));
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            MatcherAssert.assertThat(clientResource, Matchers.notNullValue());
            ClientRepresentation representation5 = clientResource.toRepresentation();
            Map attributes2 = representation5.getAttributes();
            attributes2.put("oidc.ciba.grant.enabled", Boolean.FALSE.toString());
            attributes2.put("ciba.backchannel.auth.request.signing.alg", "none");
            representation5.setAttributes(attributes2);
            clientResource.update(representation5);
            clientRepresentation = clientResource.toRepresentation();
            Assert.assertThat(clientRepresentation.getAttributes().get("oidc.ciba.grant.enabled"), Matchers.is(Boolean.FALSE.toString()));
            Assert.assertThat(clientRepresentation.getAttributes().get("ciba.backchannel.auth.request.signing.alg"), Matchers.is("none"));
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest("test-second-client", "passwort-test-second-client", doBackchannelAuthenticationRequest2.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getError(), Matchers.is("invalid_grant"));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getErrorDescription(), Matchers.is("Client not allowed OIDC CIBA Grant"));
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    @Test
    public void testCibaGrantSettingByDynamicClientRegistration() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName("valid-CIBA-CD"), oIDCClientRepresentation -> {
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        Assert.assertFalse(clientDynamically.getGrantTypes().contains("urn:openid:params:grant-type:ciba"));
        Assert.assertNull(clientDynamically.getBackchannelAuthenticationRequestSigningAlg());
        updateClientDynamically(createClientDynamically, oIDCClientRepresentation2 -> {
            List list = (List) Optional.ofNullable(oIDCClientRepresentation2.getGrantTypes()).orElse(new ArrayList());
            list.add("urn:openid:params:grant-type:ciba");
            oIDCClientRepresentation2.setGrantTypes(list);
            oIDCClientRepresentation2.setBackchannelAuthenticationRequestSigningAlg("PS256");
        });
        OIDCClientRepresentation clientDynamically2 = getClientDynamically(createClientDynamically);
        Assert.assertTrue(clientDynamically2.getGrantTypes().contains("urn:openid:params:grant-type:ciba"));
        Assert.assertThat(clientDynamically2.getBackchannelAuthenticationRequestSigningAlg(), Matchers.is("PS256"));
    }

    @Test
    public void testBackchannelAuthenticationFlowWithSignedAuthenticationRequestParam() throws Exception {
        testBackchannelAuthenticationFlowWithSignedAuthenticationRequest(false, "PS256");
    }

    @Test
    public void testBackchannelAuthenticationFlowWithSignedAuthenticationRequestUriParam() throws Exception {
        testBackchannelAuthenticationFlowWithSignedAuthenticationRequest(true, "ES256");
    }

    @Test
    public void testBackchannelAuthenticationFlowWithInvalidSignedAuthenticationRequestUriParam() throws Exception {
        testBackchannelAuthenticationFlowWithInvalidSignedAuthenticationRequest(true, "none", 400, "None signed algorithm is not allowed");
    }

    @Test
    public void testSecureCibaSessionEnforceExecutor() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName("valid-CIBA-CD"), oIDCClientRepresentation -> {
            List list = (List) Optional.ofNullable(oIDCClientRepresentation.getGrantTypes()).orElse(new ArrayList());
            list.add("urn:openid:params:grant-type:ciba");
            oIDCClientRepresentation.setGrantTypes(list);
        });
        String clientSecret = getClientDynamically(createClientDynamically).getClientSecret();
        HashMap hashMap = new HashMap();
        hashMap.put("user_device", "mobile");
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Le Premier Profil").addExecutor("secure-ciba-session", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "La Premiere Politique", Boolean.TRUE).addCondition("any-client", ClientPoliciesUtil.createAnyClientConditionConfig()).addProfile("MyProfile").toRepresentation()).toString());
        OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = this.oauth.doBackchannelAuthenticationRequest(createClientDynamically, clientSecret, "nutzername-rot", (String) null, (String) null, (String) null, hashMap);
        MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
        MatcherAssert.assertThat(doBackchannelAuthenticationRequest.getError(), Matchers.is("invalid_request"));
        MatcherAssert.assertThat(doBackchannelAuthenticationRequest.getErrorDescription(), Matchers.is("Missing parameter: binding_message"));
    }

    @Test
    public void testSecureCibaSessionEnforceExecutorWithSignedAuthenticationRequestParam() throws Exception {
        testSecureCibaSessionEnforceExecutor(false);
    }

    @Test
    public void testSecureCibaSessionEnforceExecutorWithSignedAuthenticationRequestUriParam() throws Exception {
        testSecureCibaSessionEnforceExecutor(true);
    }

    @Test
    public void testBackchannelAuthenticationFlowWithInvalidSignedAuthenticationRequest() throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Le Premier Profil").addExecutor("secure-ciba-signed-authn-req", null).toRepresentation()).toString());
            updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "La Premiere Politique", Boolean.TRUE).addCondition("any-client", ClientPoliciesUtil.createAnyClientConditionConfig()).addProfile("MyProfile").toRepresentation()).toString());
            TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createPartialAuthorizationEndpointRequestObject = createPartialAuthorizationEndpointRequestObject("nutzername-rot", "Flughafen-Frankfurt-am-Main");
            createPartialAuthorizationEndpointRequestObject.nbf(createPartialAuthorizationEndpointRequestObject.getIat());
            registerSharedAuthenticationRequest(createPartialAuthorizationEndpointRequestObject, AssertEvents.DEFAULT_CLIENT_ID, "PS256", false);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "Flughafen-Frankfurt-am-Main", (String) null, (String) null, (Map) null);
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest.getError(), Matchers.is("invalid_request"));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest.getErrorDescription(), Matchers.is("Missing parameter in the signed authentication request: exp"));
            TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createPartialAuthorizationEndpointRequestObject2 = createPartialAuthorizationEndpointRequestObject("nutzername-rot", "Flughafen-Wien-Schwechat");
            Long l = 300L;
            createPartialAuthorizationEndpointRequestObject2.exp(Long.valueOf(createPartialAuthorizationEndpointRequestObject2.getIat().longValue() + l.longValue()));
            registerSharedAuthenticationRequest(createPartialAuthorizationEndpointRequestObject2, AssertEvents.DEFAULT_CLIENT_ID, "PS256", true);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest2 = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "Flughafen-Wien-Schwechat", (String) null, (String) null, (Map) null);
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest2.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest2.getError(), Matchers.is("invalid_request"));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest2.getErrorDescription(), Matchers.is("Missing parameter in the signed authentication request: nbf"));
            TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createPartialAuthorizationEndpointRequestObject3 = createPartialAuthorizationEndpointRequestObject("nutzername-rot", "Stuttgart-Hauptbahnhof");
            createPartialAuthorizationEndpointRequestObject3.exp(Long.valueOf(createPartialAuthorizationEndpointRequestObject3.getIat().longValue() + SecureCibaSignedAuthenticationRequestExecutor.DEFAULT_AVAILABLE_PERIOD.intValue() + 10));
            createPartialAuthorizationEndpointRequestObject3.nbf(createPartialAuthorizationEndpointRequestObject3.getIat());
            registerSharedAuthenticationRequest(createPartialAuthorizationEndpointRequestObject3, AssertEvents.DEFAULT_CLIENT_ID, "PS256", false);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest3 = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "Stuttgart-Hauptbahnhof", (String) null, (String) null, (Map) null);
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest3.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest3.getError(), Matchers.is("invalid_request"));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest3.getErrorDescription(), Matchers.is("signed authentication request's available period is long"));
            TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createPartialAuthorizationEndpointRequestObject4 = createPartialAuthorizationEndpointRequestObject("nutzername-rot", "Flughafen-Wien-Schwechat");
            Long l2 = 300L;
            createPartialAuthorizationEndpointRequestObject4.exp(Long.valueOf(createPartialAuthorizationEndpointRequestObject4.getIat().longValue() + l2.longValue()));
            createPartialAuthorizationEndpointRequestObject4.nbf(createPartialAuthorizationEndpointRequestObject4.getIat());
            createPartialAuthorizationEndpointRequestObject4.audience((String[]) null);
            registerSharedAuthenticationRequest(createPartialAuthorizationEndpointRequestObject4, AssertEvents.DEFAULT_CLIENT_ID, "PS256", true);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest4 = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "Flughafen-Wien-Schwechat", (String) null, (String) null, (Map) null);
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest4.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest4.getError(), Matchers.is("invalid_request"));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest4.getErrorDescription(), Matchers.is("Missing parameter in the 'request' object: aud"));
            TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createPartialAuthorizationEndpointRequestObject5 = createPartialAuthorizationEndpointRequestObject("nutzername-rot", "Stuttgart-Hauptbahnhof");
            Long l3 = 300L;
            createPartialAuthorizationEndpointRequestObject5.exp(Long.valueOf(createPartialAuthorizationEndpointRequestObject5.getIat().longValue() + l3.longValue()));
            createPartialAuthorizationEndpointRequestObject5.nbf(createPartialAuthorizationEndpointRequestObject5.getIat());
            createPartialAuthorizationEndpointRequestObject5.audience(new String[]{"https://example.com"});
            registerSharedAuthenticationRequest(createPartialAuthorizationEndpointRequestObject5, AssertEvents.DEFAULT_CLIENT_ID, "PS256", false);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest5 = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "Stuttgart-Hauptbahnhof", (String) null, (String) null, (Map) null);
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest5.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest5.getError(), Matchers.is("invalid_request"));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest5.getErrorDescription(), Matchers.is("Invalid parameter in the 'request' object: aud"));
            TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createPartialAuthorizationEndpointRequestObject6 = createPartialAuthorizationEndpointRequestObject("nutzername-rot", "Flughafen-Wien-Schwechat");
            Long l4 = 300L;
            createPartialAuthorizationEndpointRequestObject6.exp(Long.valueOf(createPartialAuthorizationEndpointRequestObject6.getIat().longValue() + l4.longValue()));
            createPartialAuthorizationEndpointRequestObject6.nbf(createPartialAuthorizationEndpointRequestObject6.getIat());
            createPartialAuthorizationEndpointRequestObject6.audience(new String[]{Urls.realmIssuer(new URI(this.suiteContext.getAuthServerInfo().getContextRoot().toString() + "/auth"), "test"), "https://example.com"});
            registerSharedAuthenticationRequest(createPartialAuthorizationEndpointRequestObject6, AssertEvents.DEFAULT_CLIENT_ID, "PS256", true);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest6 = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "Flughafen-Wien-Schwechat", (String) null, (String) null, (Map) null);
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest6.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest6.getError(), Matchers.is("invalid_request"));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest6.getErrorDescription(), Matchers.is("Missing parameter in the 'request' object: iss"));
            TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createPartialAuthorizationEndpointRequestObject7 = createPartialAuthorizationEndpointRequestObject("nutzername-rot", "Stuttgart-Hauptbahnhof");
            Long l5 = 300L;
            createPartialAuthorizationEndpointRequestObject7.exp(Long.valueOf(createPartialAuthorizationEndpointRequestObject7.getIat().longValue() + l5.longValue()));
            createPartialAuthorizationEndpointRequestObject7.nbf(createPartialAuthorizationEndpointRequestObject7.getIat());
            createPartialAuthorizationEndpointRequestObject7.audience(new String[]{Urls.realmIssuer(new URI(this.suiteContext.getAuthServerInfo().getContextRoot().toString() + "/auth"), "test"), "https://example.com"});
            createPartialAuthorizationEndpointRequestObject7.issuer("test-apptest-app");
            registerSharedAuthenticationRequest(createPartialAuthorizationEndpointRequestObject7, AssertEvents.DEFAULT_CLIENT_ID, "PS256", false);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest7 = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "Stuttgart-Hauptbahnhof", (String) null, (String) null, (Map) null);
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest7.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest7.getError(), Matchers.is("invalid_request"));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest7.getErrorDescription(), Matchers.is("Invalid parameter in the 'request' object: iss"));
            TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createPartialAuthorizationEndpointRequestObject8 = createPartialAuthorizationEndpointRequestObject("nutzername-rot", "Flughafen-Wien-Schwechat");
            Long l6 = 300L;
            createPartialAuthorizationEndpointRequestObject8.exp(Long.valueOf(createPartialAuthorizationEndpointRequestObject8.getIat().longValue() + l6.longValue()));
            createPartialAuthorizationEndpointRequestObject8.nbf(createPartialAuthorizationEndpointRequestObject8.getIat());
            createPartialAuthorizationEndpointRequestObject8.audience(new String[]{Urls.realmIssuer(new URI(this.suiteContext.getAuthServerInfo().getContextRoot().toString() + "/auth"), "test"), "https://example.com"});
            createPartialAuthorizationEndpointRequestObject8.issuer(AssertEvents.DEFAULT_CLIENT_ID);
            createPartialAuthorizationEndpointRequestObject8.iat((Long) null);
            createPartialAuthorizationEndpointRequestObject8.id((String) null);
            registerSharedAuthenticationRequest(createPartialAuthorizationEndpointRequestObject8, AssertEvents.DEFAULT_CLIENT_ID, "PS256", true);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest8 = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "Flughafen-Wien-Schwechat", (String) null, (String) null, (Map) null);
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest8.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest8.getError(), Matchers.is("invalid_request"));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest8.getErrorDescription(), Matchers.is("Missing parameter in the signed authentication request: iat"));
            TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createPartialAuthorizationEndpointRequestObject9 = createPartialAuthorizationEndpointRequestObject("nutzername-rot", "Stuttgart-Hauptbahnhof");
            Long l7 = 300L;
            createPartialAuthorizationEndpointRequestObject9.exp(Long.valueOf(createPartialAuthorizationEndpointRequestObject9.getIat().longValue() + l7.longValue()));
            createPartialAuthorizationEndpointRequestObject9.nbf(createPartialAuthorizationEndpointRequestObject9.getIat());
            createPartialAuthorizationEndpointRequestObject9.audience(new String[]{Urls.realmIssuer(new URI(this.suiteContext.getAuthServerInfo().getContextRoot().toString() + "/auth"), "test"), "https://example.com"});
            createPartialAuthorizationEndpointRequestObject9.issuer(AssertEvents.DEFAULT_CLIENT_ID);
            createPartialAuthorizationEndpointRequestObject9.iat(Long.valueOf(Time.currentTime()));
            createPartialAuthorizationEndpointRequestObject9.id((String) null);
            registerSharedAuthenticationRequest(createPartialAuthorizationEndpointRequestObject9, AssertEvents.DEFAULT_CLIENT_ID, "PS256", false);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest9 = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "Stuttgart-Hauptbahnhof", (String) null, (String) null, (Map) null);
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest9.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest9.getError(), Matchers.is("invalid_request"));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest9.getErrorDescription(), Matchers.is("Missing parameter in the signed authentication request: jti"));
            TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createPartialAuthorizationEndpointRequestObject10 = createPartialAuthorizationEndpointRequestObject("nutzername-rot", "Brno-hlavni-nadrazif");
            Long l8 = 300L;
            createPartialAuthorizationEndpointRequestObject10.exp(Long.valueOf(createPartialAuthorizationEndpointRequestObject10.getIat().longValue() + l8.longValue()));
            createPartialAuthorizationEndpointRequestObject10.nbf(createPartialAuthorizationEndpointRequestObject10.getIat());
            createPartialAuthorizationEndpointRequestObject10.audience(new String[]{Urls.realmIssuer(new URI(this.suiteContext.getAuthServerInfo().getContextRoot().toString() + "/auth"), "test"), "https://example.com"});
            createPartialAuthorizationEndpointRequestObject10.issuer(AssertEvents.DEFAULT_CLIENT_ID);
            createPartialAuthorizationEndpointRequestObject10.id(org.keycloak.models.utils.KeycloakModelUtils.generateId());
            createPartialAuthorizationEndpointRequestObject10.iat(Long.valueOf(Time.currentTime()));
            registerSharedAuthenticationRequest(createPartialAuthorizationEndpointRequestObject10, AssertEvents.DEFAULT_CLIENT_ID, "PS256", true);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest10 = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "Brno-hlavni-nadrazif");
            TestAuthenticationChannelRequest doAuthenticationChannelRequest = doAuthenticationChannelRequest("Brno-hlavni-nadrazif");
            AuthenticationChannelRequest request = doAuthenticationChannelRequest.getRequest();
            MatcherAssert.assertThat(request.getBindingMessage(), Matchers.is(Matchers.equalTo("Brno-hlavni-nadrazif")));
            MatcherAssert.assertThat(request.getScope(), Matchers.is(Matchers.containsString("openid")));
            doAuthenticationChannelCallback(doAuthenticationChannelRequest);
            doBackchannelAuthenticationTokenRequest("nutzername-rot", doBackchannelAuthenticationRequest10.getAuthReqId());
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    private TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createPartialAuthorizationEndpointRequestObject(String str, String str2) throws Exception {
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject authorizationEndpointRequestObject = new TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject();
        authorizationEndpointRequestObject.id(org.keycloak.models.utils.KeycloakModelUtils.generateId());
        authorizationEndpointRequestObject.iat(Long.valueOf(Time.currentTime()));
        authorizationEndpointRequestObject.setScope("openid");
        authorizationEndpointRequestObject.setMax_age(600);
        authorizationEndpointRequestObject.setOtherClaims("custom_claim_zwei", "gelb");
        authorizationEndpointRequestObject.audience(new String[]{Urls.realmIssuer(new URI(this.suiteContext.getAuthServerInfo().getContextRoot().toString() + "/auth"), "test"), "https://example.com"});
        authorizationEndpointRequestObject.setLoginHint(str);
        authorizationEndpointRequestObject.setBindingMessage(str2);
        return authorizationEndpointRequestObject;
    }

    private void testSecureCibaSessionEnforceExecutor(boolean z) throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidSharedAuthenticationRequest = createValidSharedAuthenticationRequest();
            createValidSharedAuthenticationRequest.setLoginHint("nutzername-rot");
            registerSharedAuthenticationRequest(createValidSharedAuthenticationRequest, AssertEvents.DEFAULT_CLIENT_ID, "PS256", z);
            updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Le Premier Profil").addExecutor("secure-ciba-session", null).toRepresentation()).toString());
            updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "La Premiere Politique", Boolean.TRUE).addCondition("any-client", ClientPoliciesUtil.createAnyClientConditionConfig()).addProfile("MyProfile").toRepresentation()).toString());
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = this.oauth.doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", (String) null, (String) null, (String) null, (Map) null);
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest.getError(), Matchers.is("invalid_request"));
            MatcherAssert.assertThat(doBackchannelAuthenticationRequest.getErrorDescription(), Matchers.is("Missing parameter: binding_message"));
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    private RealmResource testRealm() {
        return this.adminClient.realm("test");
    }

    @Test
    public void testBackchannelAuthenticationFlowRegisterDifferentSigAlgInAdvanceWithSignedAuthenticationRequestParam() throws Exception {
        testBackchannelAuthenticationFlowWithInvalidSignedAuthenticationRequest(false, "ES256", "PS256", 400, "invalid_request", "Client requested algorithm not registered in advance or request signed with different algorithm other than client requested algorithm", AssertEvents.DEFAULT_CLIENT_ID, "password");
    }

    @Test
    public void testBackchannelAuthenticationFlowRegisterDifferentSigAlgInAdvanceWithSignedAuthenticationRequestUriParam() throws Exception {
        testBackchannelAuthenticationFlowWithInvalidSignedAuthenticationRequest(true, "PS256", "ES256", 400, "invalid_request", "Client requested algorithm not registered in advance or request signed with different algorithm other than client requested algorithm", AssertEvents.DEFAULT_CLIENT_ID, "password");
    }

    @Test
    public void testBackchannelAuthenticationFlowNotRegisterSigAlgInAdvanceWithSignedAuthenticationRequestParam() throws Exception {
        testBackchannelAuthenticationFlowNotRegisterSigAlgInAdvanceWithSignedAuthentication("valid-CIBA-CD-Ein", false, null, "ES256", 400, "Client requested algorithm not registered in advance or request signed with different algorithm other than client requested algorithm");
    }

    @Test
    public void testBackchannelAuthenticationFlowNotRegisterSigAlgInAdvanceWithSignedAuthenticationRequestUriParam() throws Exception {
        testBackchannelAuthenticationFlowNotRegisterSigAlgInAdvanceWithSignedAuthentication("valid-CIBA-CD-Zwei", true, null, "PS256", 400, "Client requested algorithm not registered in advance or request signed with different algorithm other than client requested algorithm");
    }

    @Test
    public void testExtendedClientPolicyInterfacesForBackchannelAuthenticationRequest() throws Exception {
        String generateSuffixedName = generateSuffixedName("confidential-app");
        String str = "app-secret";
        createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret(str);
            clientRepresentation.setStandardFlowEnabled(Boolean.TRUE);
            clientRepresentation.setImplicitFlowEnabled(Boolean.TRUE);
            clientRepresentation.setPublicClient(Boolean.FALSE);
            clientRepresentation.setBearerOnly(Boolean.FALSE);
            Map map = (Map) Optional.ofNullable(clientRepresentation.getAttributes()).orElse(new HashMap());
            map.put("ciba.backchannel.token.delivery.mode", "poll");
            map.put("oidc.ciba.grant.enabled", Boolean.TRUE.toString());
            clientRepresentation.setAttributes(map);
        });
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Den Forste Profilen").addExecutor("test-raise-exception", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Den Forste Politikken", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role-alpha"))).addProfile("MyProfile").toRepresentation()).toString());
        ApiUtil.findClientByClientId(this.adminClient.realm("test"), generateSuffixedName).roles().create(RoleBuilder.create().name("sample-client-role-alpha").build());
        OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = this.oauth.doBackchannelAuthenticationRequest(generateSuffixedName, "app-secret", "test-user@localhost", "Pjb9eD8w", (String) null, (String) null, (Map) null);
        Assert.assertEquals(400L, doBackchannelAuthenticationRequest.getStatusCode());
        Assert.assertEquals(ClientPolicyEvent.BACKCHANNEL_AUTHENTICATION_REQUEST.toString(), doBackchannelAuthenticationRequest.getError());
        Assert.assertEquals("Exception thrown intentionally", doBackchannelAuthenticationRequest.getErrorDescription());
    }

    @Test
    public void testExtendedClientPolicyInterfacesForBackchannelTokenRequest() throws Exception {
        String generateSuffixedName = generateSuffixedName("confidential-app");
        String str = "app-secret";
        createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret(str);
            clientRepresentation.setStandardFlowEnabled(Boolean.TRUE);
            clientRepresentation.setImplicitFlowEnabled(Boolean.TRUE);
            clientRepresentation.setPublicClient(Boolean.FALSE);
            clientRepresentation.setBearerOnly(Boolean.FALSE);
            Map map = (Map) Optional.ofNullable(clientRepresentation.getAttributes()).orElse(new HashMap());
            map.put("ciba.backchannel.token.delivery.mode", "poll");
            map.put("oidc.ciba.grant.enabled", Boolean.TRUE.toString());
            clientRepresentation.setAttributes(map);
        });
        HashMap hashMap = new HashMap();
        hashMap.put("user_device", "mobile");
        OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = this.oauth.doBackchannelAuthenticationRequest(generateSuffixedName, "app-secret", "test-user@localhost", "BASTION", (String) null, (String) null, hashMap);
        MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest.getStatusCode()), Matchers.is(Matchers.equalTo(200)));
        Assert.assertNotNull(doBackchannelAuthenticationRequest.getAuthReqId());
        MatcherAssert.assertThat(Integer.valueOf(this.oauth.doAuthenticationChannelCallback(this.testingClient.testApp().oidcClientEndpoints().getAuthenticationChannel("BASTION").getBearerToken(), AuthenticationChannelResponse.Status.SUCCEED)), Matchers.is(Matchers.equalTo(200)));
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Den Forste Profilen").addExecutor("test-raise-exception", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Den Forste Politikken", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role-alpha"))).addProfile("MyProfile").toRepresentation()).toString());
        ApiUtil.findClientByClientId(this.adminClient.realm("test"), generateSuffixedName).roles().create(RoleBuilder.create().name("sample-client-role-alpha").build());
        OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest(generateSuffixedName, "app-secret", doBackchannelAuthenticationRequest.getAuthReqId());
        MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
        MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getError(), Matchers.is("invalid_grant"));
        MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getErrorDescription(), Matchers.is("Exception thrown intentionally"));
    }

    @Test
    public void testSecureCibaAuthenticationRequestSigningAlgorithmEnforceExecutor() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Den Forsta Profilen").addExecutor("secure-ciba-req-sig-algorithm", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Den Forsta Policyn", Boolean.TRUE).addCondition("client-updater-context", ClientPoliciesUtil.createClientUpdateContextConditionConfig(Arrays.asList("ByAuthenticatedUser", "ByInitialAccessToken", "ByRegistrationAccessToken"))).addProfile("MyProfile").toRepresentation()).toString());
        try {
            createClientByAdmin(generateSuffixedName("App-by-Admin"), clientRepresentation -> {
                clientRepresentation.setSecret("secret");
                clientRepresentation.setAttributes(new HashMap());
                clientRepresentation.getAttributes().put("ciba.backchannel.auth.request.signing.alg", "none");
            });
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("invalid_request", e.getMessage());
        }
        String createClientByAdmin = createClientByAdmin(generateSuffixedName("App-by-Admin"), clientRepresentation2 -> {
            clientRepresentation2.setAttributes(new HashMap());
            clientRepresentation2.getAttributes().put("ciba.backchannel.auth.request.signing.alg", "ES256");
        });
        Assert.assertEquals("ES256", getClientByAdmin(createClientByAdmin).getAttributes().get("ciba.backchannel.auth.request.signing.alg"));
        String createClientByAdmin2 = createClientByAdmin(generateSuffixedName("App-by-Admin2"), clientRepresentation3 -> {
        });
        Assert.assertEquals("PS256", getClientByAdmin(createClientByAdmin2).getAttributes().get("ciba.backchannel.auth.request.signing.alg"));
        try {
            updateClientByAdmin(createClientByAdmin, clientRepresentation4 -> {
                clientRepresentation4.setAttributes(new HashMap());
                clientRepresentation4.getAttributes().put("ciba.backchannel.auth.request.signing.alg", "RS512");
            });
        } catch (ClientPolicyException e2) {
            Assert.assertEquals("invalid_request", e2.getError());
        }
        Assert.assertEquals("ES256", getClientByAdmin(createClientByAdmin).getAttributes().get("ciba.backchannel.auth.request.signing.alg"));
        updateClientByAdmin(createClientByAdmin, clientRepresentation5 -> {
            clientRepresentation5.setAttributes(new HashMap());
            clientRepresentation5.getAttributes().put("ciba.backchannel.auth.request.signing.alg", "PS384");
        });
        Assert.assertEquals("PS384", getClientByAdmin(createClientByAdmin).getAttributes().get("ciba.backchannel.auth.request.signing.alg"));
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Den Forsta Profilen").addExecutor("secure-ciba-req-sig-algorithm", ClientPoliciesUtil.createSecureCibaAuthenticationRequestSigningAlgorithmExecutorConfig("ES256")).toRepresentation()).toString());
        updateClientByAdmin(createClientByAdmin2, clientRepresentation6 -> {
            clientRepresentation6.getAttributes().remove("ciba.backchannel.auth.request.signing.alg");
        });
        Assert.assertEquals("ES256", getClientByAdmin(createClientByAdmin2).getAttributes().get("ciba.backchannel.auth.request.signing.alg"));
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Den Forsta Profilen").addExecutor("secure-ciba-req-sig-algorithm", ClientPoliciesUtil.createSecureCibaAuthenticationRequestSigningAlgorithmExecutorConfig("RS512")).toRepresentation()).toString());
        try {
            createClientByAdmin(generateSuffixedName("App-in-Dynamic"), clientRepresentation7 -> {
                clientRepresentation7.setSecret("secret");
                clientRepresentation7.setAttributes(new HashMap());
                clientRepresentation7.getAttributes().put("ciba.backchannel.auth.request.signing.alg", "RS384");
            });
            Assert.fail();
        } catch (ClientPolicyException e3) {
            Assert.assertEquals("invalid_request", e3.getMessage());
        }
        String createClientDynamically = createClientDynamically(generateSuffixedName("App-in-Dynamic"), oIDCClientRepresentation -> {
            oIDCClientRepresentation.setBackchannelAuthenticationRequestSigningAlg("ES256");
        });
        this.events.expect(EventType.CLIENT_REGISTER).client(createClientDynamically).user(Matchers.isEmptyOrNullString()).assertEvent();
        try {
            updateClientDynamically(createClientDynamically, oIDCClientRepresentation2 -> {
                oIDCClientRepresentation2.setBackchannelAuthenticationRequestSigningAlg("RS256");
            });
            Assert.fail();
        } catch (ClientRegistrationException e4) {
            Assert.assertEquals(ERR_MSG_CLIENT_REG_FAIL, e4.getMessage());
        }
        Assert.assertEquals("ES256", getClientDynamically(createClientDynamically).getBackchannelAuthenticationRequestSigningAlg());
        updateClientDynamically(createClientDynamically, oIDCClientRepresentation3 -> {
            oIDCClientRepresentation3.setBackchannelAuthenticationRequestSigningAlg("ES384");
        });
        Assert.assertEquals("ES384", getClientDynamically(createClientDynamically).getBackchannelAuthenticationRequestSigningAlg());
        restartAuthenticatedClientRegistrationSetting();
        String createClientDynamically2 = createClientDynamically(generateSuffixedName("App-in-Dynamic"), oIDCClientRepresentation4 -> {
        });
        Assert.assertEquals("PS256", getClientDynamically(createClientDynamically2).getBackchannelAuthenticationRequestSigningAlg());
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Den Forsta Profilen").addExecutor("secure-ciba-req-sig-algorithm", ClientPoliciesUtil.createSecureCibaAuthenticationRequestSigningAlgorithmExecutorConfig("ES256")).toRepresentation()).toString());
        updateClientDynamically(createClientDynamically2, oIDCClientRepresentation5 -> {
            oIDCClientRepresentation5.setBackchannelAuthenticationRequestSigningAlg((String) null);
        });
        Assert.assertEquals("ES256", getClientDynamically(createClientDynamically2).getBackchannelAuthenticationRequestSigningAlg());
    }

    @Test
    public void testHolderOfKeyEnforceExecutor() throws Exception {
        Throwable th;
        Throwable th2;
        OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest;
        Assume.assumeTrue("This test must be executed with enabled TLS.", ServerURLs.AUTH_SERVER_SSL_REQUIRED);
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Az Elso Profil").addExecutor("holder-of-key-enforcer", ClientPoliciesUtil.createHolderOfKeyEnforceExecutorConfig(Boolean.FALSE)).addExecutor("secure-signature-algorithm-signed-jwt", ClientPoliciesUtil.createSecureSigningAlgorithmForSignedJwtEnforceExecutorConfig(Boolean.FALSE)).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Az Elso Politika", Boolean.TRUE).addCondition("any-client", ClientPoliciesUtil.createAnyClientConditionConfig()).addProfile("MyProfile").toRepresentation()).toString());
        try {
            HashMap hashMap = new HashMap();
            hashMap.put("user_device", "mobile");
            ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            ClientRepresentation representation = findClientByClientId.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setUseMtlsHoKToken(true);
            findClientByClientId.update(representation);
            prepareCIBASettings(findClientByClientId, representation);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "ThisIsBindingMessage", null, hashMap);
            TestAuthenticationChannelRequest doAuthenticationChannelRequest = doAuthenticationChannelRequest("ThisIsBindingMessage");
            AuthenticationChannelRequest request = doAuthenticationChannelRequest.getRequest();
            MatcherAssert.assertThat(request.getBindingMessage(), Matchers.is(Matchers.equalTo("ThisIsBindingMessage")));
            MatcherAssert.assertThat(request.getScope(), Matchers.is(Matchers.containsString("openid")));
            MatcherAssert.assertThat(request.getAdditionalParameters().get("user_device"), Matchers.is(Matchers.equalTo("mobile")));
            doAuthenticationChannelCallback(doAuthenticationChannelRequest);
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest2 = this.oauth.doBackchannelAuthenticationTokenRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", doBackchannelAuthenticationRequest.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest2.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest2.getError(), Matchers.is(Matchers.equalTo("invalid_grant")));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest2.getErrorDescription(), Matchers.is(Matchers.equalTo("Client Certification missing for MTLS HoK Token Binding")));
            this.events.expect(EventType.AUTHREQID_TO_TOKEN_ERROR).clearDetails().user((String) null).client(AssertEvents.DEFAULT_CLIENT_ID).error("invalid_request").assertEvent();
            CloseableHttpClient newCloseableHttpClientWithDefaultKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
            Throwable th3 = null;
            try {
                try {
                    doBackchannelAuthenticationTokenRequest = doBackchannelAuthenticationTokenRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", doBackchannelAuthenticationRequest.getAuthReqId(), newCloseableHttpClientWithDefaultKeyStoreAndTrustStore);
                    AccessToken verifyToken = this.oauth.verifyToken(doBackchannelAuthenticationTokenRequest.getAccessToken(), AccessToken.class);
                    MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(200)));
                    MatcherAssert.assertThat(verifyToken.getCertConf().getCertThumbprint(), Matchers.notNullValue());
                    if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                        if (0 != 0) {
                            try {
                                newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                            } catch (Throwable th4) {
                                th3.addSuppressed(th4);
                            }
                        } else {
                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                        }
                    }
                    try {
                        newCloseableHttpClientWithDefaultKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
                        th2 = null;
                    } catch (IOException e) {
                        throw new RuntimeException(e);
                    }
                } finally {
                }
                try {
                    try {
                        CloseableHttpResponse doLogout = this.oauth.doLogout(doBackchannelAuthenticationTokenRequest.getRefreshToken(), "password", newCloseableHttpClientWithDefaultKeyStoreAndTrustStore);
                        if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                            if (0 != 0) {
                                try {
                                    newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                                } catch (Throwable th5) {
                                    th2.addSuppressed(th5);
                                }
                            } else {
                                newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                            }
                        }
                        Assert.assertEquals(204L, doLogout.getStatusLine().getStatusCode());
                        updatePolicies("{}");
                        ClientResource findClientByClientId2 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
                        ClientRepresentation representation2 = findClientByClientId2.toRepresentation();
                        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setUseMtlsHoKToken(false);
                        findClientByClientId2.update(representation2);
                        revertCIBASettings(findClientByClientId2, representation2);
                    } finally {
                    }
                } finally {
                    if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                        if (th != null) {
                            try {
                                newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                            } catch (Throwable th6) {
                                th3.addSuppressed(th6);
                            }
                        }
                    }
                }
            } finally {
                if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                    if (th != null) {
                        try {
                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                        } catch (Throwable th7) {
                            th3.addSuppressed(th7);
                        }
                    }
                }
            }
        } catch (Throwable th8) {
            updatePolicies("{}");
            ClientResource findClientByClientId3 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            ClientRepresentation representation3 = findClientByClientId3.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation3).setUseMtlsHoKToken(false);
            findClientByClientId3.update(representation3);
            revertCIBASettings(findClientByClientId3, representation3);
            throw th8;
        }
    }

    @Test
    public void testConfidentialClientAcceptExecutorExecutor() throws Exception {
        String generateSuffixedName = generateSuffixedName("public-app");
        createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret("app-secret");
            clientRepresentation.setStandardFlowEnabled(Boolean.TRUE);
            clientRepresentation.setImplicitFlowEnabled(Boolean.TRUE);
            clientRepresentation.setPublicClient(Boolean.TRUE);
            clientRepresentation.setBearerOnly(Boolean.FALSE);
            Map map = (Map) Optional.ofNullable(clientRepresentation.getAttributes()).orElse(new HashMap());
            map.put("ciba.backchannel.token.delivery.mode", "poll");
            map.put("oidc.ciba.grant.enabled", Boolean.TRUE.toString());
            clientRepresentation.setAttributes(map);
        });
        HashMap hashMap = new HashMap();
        hashMap.put("user_device", "mobile");
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Erstes Profil").addExecutor("confidential-client", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "La Premiere Politique", Boolean.TRUE).addCondition("any-client", ClientPoliciesUtil.createAnyClientConditionConfig()).addProfile("MyProfile").toRepresentation()).toString());
        OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = this.oauth.doBackchannelAuthenticationRequest(generateSuffixedName, "app-secret", "nutzername-rot", "bmbmbmbm", (String) null, (String) null, hashMap);
        MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
        MatcherAssert.assertThat(doBackchannelAuthenticationRequest.getError(), Matchers.is("invalid_client"));
        MatcherAssert.assertThat(doBackchannelAuthenticationRequest.getErrorDescription(), Matchers.is("invalid client access type"));
        String generateSuffixedName2 = generateSuffixedName("confidential-app");
        String str = "app-secret";
        String createClientByAdmin = createClientByAdmin(generateSuffixedName2, clientRepresentation2 -> {
            clientRepresentation2.setSecret(str);
            clientRepresentation2.setStandardFlowEnabled(Boolean.TRUE);
            clientRepresentation2.setImplicitFlowEnabled(Boolean.TRUE);
            clientRepresentation2.setPublicClient(Boolean.FALSE);
            clientRepresentation2.setBearerOnly(Boolean.FALSE);
            Map map = (Map) Optional.ofNullable(clientRepresentation2.getAttributes()).orElse(new HashMap());
            map.put("ciba.backchannel.token.delivery.mode", "poll");
            map.put("oidc.ciba.grant.enabled", Boolean.TRUE.toString());
            clientRepresentation2.setAttributes(map);
        });
        OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest2 = doBackchannelAuthenticationRequest(generateSuffixedName2, "app-secret", "nutzername-rot", "bmbmbmbm", null, hashMap);
        updateClientByAdmin(createClientByAdmin, clientRepresentation3 -> {
            clientRepresentation3.setPublicClient(Boolean.TRUE);
        });
        OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest(generateSuffixedName2, "app-secret", doBackchannelAuthenticationRequest2.getAuthReqId());
        MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
        MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getError(), Matchers.is("invalid_grant"));
        MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getErrorDescription(), Matchers.is("invalid client access type"));
    }

    @Test
    public void testClientScopesCondition() throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("user_device", "mobile");
        String generateSuffixedName = generateSuffixedName("confidential-app");
        String str = "app-secret";
        createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret(str);
            clientRepresentation.setStandardFlowEnabled(Boolean.TRUE);
            clientRepresentation.setImplicitFlowEnabled(Boolean.TRUE);
            clientRepresentation.setPublicClient(Boolean.FALSE);
            clientRepresentation.setBearerOnly(Boolean.FALSE);
            Map map = (Map) Optional.ofNullable(clientRepresentation.getAttributes()).orElse(new HashMap());
            map.put("ciba.backchannel.token.delivery.mode", "poll");
            map.put("oidc.ciba.grant.enabled", Boolean.TRUE.toString());
            clientRepresentation.setAttributes(map);
        });
        this.oauth.clientId(generateSuffixedName);
        this.oauth.scope("microprofile-jwt");
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Het Eerste Profiel").addExecutor("test-raise-exception", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Het Eerste Beleid", Boolean.TRUE).addCondition("client-scopes", ClientPoliciesUtil.createClientScopesConditionConfig("Optional", Arrays.asList("microprofile-jwt"))).addProfile("MyProfile").toRepresentation()).toString());
        OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = this.oauth.doBackchannelAuthenticationRequest(generateSuffixedName, "app-secret", "nutzername-rot", "ThisIsBindingMessage", (String) null, (String) null, hashMap);
        MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
        MatcherAssert.assertThat(doBackchannelAuthenticationRequest.getError(), Matchers.is(ClientPolicyEvent.BACKCHANNEL_AUTHENTICATION_REQUEST.name()));
        MatcherAssert.assertThat(doBackchannelAuthenticationRequest.getErrorDescription(), Matchers.is("Exception thrown intentionally"));
        updatePolicies("{}");
        OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest2 = this.oauth.doBackchannelAuthenticationRequest(generateSuffixedName, "app-secret", "nutzername-rot", "ThisIsBindingMessage", (String) null, (String) null, hashMap);
        MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest2.getStatusCode()), Matchers.is(Matchers.equalTo(200)));
        Assert.assertNotNull(doBackchannelAuthenticationRequest2.getAuthReqId());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Het Eerste Beleid", Boolean.TRUE).addCondition("client-scopes", ClientPoliciesUtil.createClientScopesConditionConfig("Optional", Arrays.asList("microprofile-jwt"))).addProfile("MyProfile").toRepresentation()).toString());
        OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest(generateSuffixedName, "app-secret", doBackchannelAuthenticationRequest2.getAuthReqId());
        MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
        MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getError(), Matchers.is("invalid_grant"));
        MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getErrorDescription(), Matchers.is("Exception thrown intentionally"));
        updatePolicies("{}");
        TestAuthenticationChannelRequest doAuthenticationChannelRequest = doAuthenticationChannelRequest("ThisIsBindingMessage");
        AuthenticationChannelRequest request = doAuthenticationChannelRequest.getRequest();
        MatcherAssert.assertThat(request.getBindingMessage(), Matchers.is(Matchers.equalTo("ThisIsBindingMessage")));
        MatcherAssert.assertThat(request.getScope(), Matchers.is(Matchers.containsString("openid")));
        MatcherAssert.assertThat(request.getAdditionalParameters().get("user_device"), Matchers.is(Matchers.equalTo("mobile")));
        doAuthenticationChannelCallback(doAuthenticationChannelRequest);
        OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest2 = this.oauth.doBackchannelAuthenticationTokenRequest(generateSuffixedName, "app-secret", doBackchannelAuthenticationRequest2.getAuthReqId());
        MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest2.getStatusCode()), Matchers.is(Matchers.equalTo(200)));
        MatcherAssert.assertThat(this.oauth.verifyToken(doBackchannelAuthenticationTokenRequest2.getAccessToken()).getIssuedFor(), Matchers.is(Matchers.equalTo(generateSuffixedName)));
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(doBackchannelAuthenticationTokenRequest2.getRefreshToken());
        MatcherAssert.assertThat(parseRefreshToken.getIssuedFor(), Matchers.is(Matchers.equalTo(generateSuffixedName)));
        MatcherAssert.assertThat(parseRefreshToken.getAudience()[0], Matchers.is(Matchers.equalTo(parseRefreshToken.getIssuer())));
        IDToken verifyIDToken = this.oauth.verifyIDToken(doBackchannelAuthenticationTokenRequest2.getIdToken());
        MatcherAssert.assertThat(verifyIDToken.getPreferredUsername(), Matchers.is(Matchers.equalTo("nutzername-rot")));
        MatcherAssert.assertThat(verifyIDToken.getIssuedFor(), Matchers.is(Matchers.equalTo(generateSuffixedName)));
        MatcherAssert.assertThat(verifyIDToken.getAudience()[0], Matchers.is(Matchers.equalTo(verifyIDToken.getIssuedFor())));
    }

    private void testBackchannelAuthenticationFlowNotRegisterSigAlgInAdvanceWithSignedAuthentication(String str, boolean z, String str2, String str3, int i, String str4) throws Exception {
        String createClientDynamically = createClientDynamically(str, oIDCClientRepresentation -> {
            List list = (List) Optional.ofNullable(oIDCClientRepresentation.getGrantTypes()).orElse(new ArrayList());
            list.add("urn:openid:params:grant-type:ciba");
            oIDCClientRepresentation.setGrantTypes(list);
        });
        testBackchannelAuthenticationFlowWithInvalidSignedAuthenticationRequest(z, str2, str3, i, "invalid_request", str4, createClientDynamically, getClientDynamically(createClientDynamically).getClientSecret());
    }

    private void testBackchannelAuthenticationFlowWithInvalidSignedAuthenticationRequest(boolean z, String str, int i, String str2) throws Exception {
        testBackchannelAuthenticationFlowWithInvalidSignedAuthenticationRequest(z, str, str, 400, "invalid_request", str2, AssertEvents.DEFAULT_CLIENT_ID, "password");
    }

    private void testBackchannelAuthenticationFlowWithInvalidSignedAuthenticationRequest(boolean z, String str, String str2, int i, String str3, String str4, String str5, String str6) throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), str5);
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidSharedAuthenticationRequest = createValidSharedAuthenticationRequest();
            createValidSharedAuthenticationRequest.setLoginHint("nutzername-rot");
            createValidSharedAuthenticationRequest.setBindingMessage("BASTION");
            registerSharedAuthenticationRequest(createValidSharedAuthenticationRequest, str5, str, str2, z, str6);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = this.oauth.doBackchannelAuthenticationRequest(str5, str6, (String) null, (String) null, (String) null);
            Assert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest.getStatusCode()), Matchers.is(Matchers.equalTo(Integer.valueOf(i))));
            Assert.assertThat(doBackchannelAuthenticationRequest.getError(), Matchers.is(str3));
            Assert.assertThat(doBackchannelAuthenticationRequest.getErrorDescription(), Matchers.is(str4));
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    protected void registerSharedInvalidAuthenticationRequest(TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject authorizationEndpointRequestObject, String str, String str2, boolean z) throws URISyntaxException, IOException {
        this.testingClient.testApp().oidcClientEndpoints();
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), str);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        ((Map) Optional.ofNullable(representation.getAttributes()).orElse(new HashMap())).put("ciba.backchannel.auth.request.signing.alg", str2);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setUseJwksUrl(true);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setJwksUrl(TestApplicationResourceUrls.clientJwksUri());
        findClientByClientId.update(representation);
        TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
        oidcClientEndpoints.registerOIDCRequest(Base64Url.encode(JsonSerialization.writeValueAsBytes(authorizationEndpointRequestObject)), str2);
        if (z) {
            this.oauth.request((String) null);
            this.oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
        } else {
            this.oauth.requestUri((String) null);
            this.oauth.request(oidcClientEndpoints.getOIDCRequest());
        }
    }

    private void testBackchannelAuthenticationFlowWithSignedAuthenticationRequest(boolean z, String str) throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidSharedAuthenticationRequest = createValidSharedAuthenticationRequest();
            createValidSharedAuthenticationRequest.setLoginHint("nutzername-rot");
            createValidSharedAuthenticationRequest.setBindingMessage("BASTION");
            registerSharedAuthenticationRequest(createValidSharedAuthenticationRequest, AssertEvents.DEFAULT_CLIENT_ID, str, z);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", null, null);
            TestAuthenticationChannelRequest doAuthenticationChannelRequest = doAuthenticationChannelRequest("BASTION");
            AuthenticationChannelRequest request = doAuthenticationChannelRequest.getRequest();
            Assert.assertThat(request.getBindingMessage(), Matchers.is(Matchers.equalTo("BASTION")));
            Assert.assertThat(request.getScope(), Matchers.is(Matchers.containsString("openid")));
            EventRepresentation doAuthenticationChannelCallback = doAuthenticationChannelCallback(doAuthenticationChannelRequest);
            String sessionId = doAuthenticationChannelCallback.getSessionId();
            String userId = doAuthenticationChannelCallback.getUserId();
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = doBackchannelAuthenticationTokenRequest("nutzername-rot", doBackchannelAuthenticationRequest.getAuthReqId());
            doIntrospectAccessTokenWithClientCredential(doBackchannelAuthenticationTokenRequest, "nutzername-rot");
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = doRefreshTokenRequest(doBackchannelAuthenticationTokenRequest.getRefreshToken(), "nutzername-rot", sessionId, false);
            doIntrospectAccessTokenWithClientCredential(doRefreshTokenRequest, "nutzername-rot");
            doLogoutByRefreshToken(doRefreshTokenRequest.getRefreshToken(), sessionId, userId, false);
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    private TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidSharedAuthenticationRequest() throws URISyntaxException {
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject authorizationEndpointRequestObject = new TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject();
        authorizationEndpointRequestObject.id(org.keycloak.models.utils.KeycloakModelUtils.generateId());
        authorizationEndpointRequestObject.iat(Long.valueOf(Time.currentTime()));
        Long l = 300L;
        authorizationEndpointRequestObject.exp(Long.valueOf(authorizationEndpointRequestObject.getIat().longValue() + l.longValue()));
        authorizationEndpointRequestObject.nbf(authorizationEndpointRequestObject.getIat());
        authorizationEndpointRequestObject.setScope("openid");
        authorizationEndpointRequestObject.setMax_age(600);
        authorizationEndpointRequestObject.setOtherClaims("custom_claim_zwei", "gelb");
        authorizationEndpointRequestObject.audience(new String[]{Urls.realmIssuer(new URI(this.suiteContext.getAuthServerInfo().getContextRoot().toString() + "/auth"), "test"), "https://example.com"});
        return authorizationEndpointRequestObject;
    }

    protected void registerSharedAuthenticationRequest(TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject authorizationEndpointRequestObject, String str, String str2, boolean z) throws URISyntaxException, IOException {
        registerSharedAuthenticationRequest(authorizationEndpointRequestObject, str, str2, z, null);
    }

    protected void registerSharedAuthenticationRequest(TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject authorizationEndpointRequestObject, String str, String str2, boolean z, String str3) throws URISyntaxException, IOException {
        registerSharedAuthenticationRequest(authorizationEndpointRequestObject, str, str2, str2, z, str3);
    }

    private boolean isSymmetricSigAlg(String str) {
        return "HS256".equals(str) || "HS384".equals(str) || "HS512".equals(str);
    }

    protected void registerSharedAuthenticationRequest(TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject authorizationEndpointRequestObject, String str, String str2, String str3, boolean z, String str4) throws URISyntaxException, IOException {
        this.testingClient.testApp().oidcClientEndpoints();
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), str);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        if (str2 != null) {
            Map map = (Map) Optional.ofNullable(representation.getAttributes()).orElse(new HashMap());
            map.put("ciba.backchannel.auth.request.signing.alg", str2);
            representation.setAttributes(map);
        }
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setUseJwksUrl(true);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setJwksUrl(TestApplicationResourceUrls.clientJwksUri());
        findClientByClientId.update(representation);
        TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
        String encode = Base64Url.encode(JsonSerialization.writeValueAsBytes(authorizationEndpointRequestObject));
        if (isSymmetricSigAlg(str3)) {
            oidcClientEndpoints.registerOIDCRequestSymmetricSig(encode, str3, str4);
        } else {
            if (!"none".equals(str3)) {
                oidcClientEndpoints.generateKeys(str3);
            }
            oidcClientEndpoints.registerOIDCRequest(encode, str3);
        }
        if (z) {
            this.oauth.request((String) null);
            this.oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
        } else {
            this.oauth.requestUri((String) null);
            this.oauth.request(oidcClientEndpoints.getOIDCRequest());
        }
    }

    private void testAuthenticationChannelErrorCase(Response.Status status, Response.Status status2, AuthenticationChannelResponse.Status status3, String str, String str2) throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            MatcherAssert.assertThat(clientResource, Matchers.notNullValue());
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", "kwq26rfjs73");
            doAuthenticationChannelCallbackError(status, AssertEvents.DEFAULT_CLIENT_ID, doAuthenticationChannelRequest("kwq26rfjs73"), status3, "nutzername-rot", str2);
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest("password", doBackchannelAuthenticationRequest.getAuthReqId());
            MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(Integer.valueOf(status2.getStatusCode()))));
            MatcherAssert.assertThat(doBackchannelAuthenticationTokenRequest.getError(), Matchers.is(str));
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }

    private void prepareCIBASettings(ClientResource clientResource, ClientRepresentation clientRepresentation) {
        prepareCIBASettings(clientResource, clientRepresentation, "poll");
    }

    private void prepareCIBASettings(ClientResource clientResource, ClientRepresentation clientRepresentation, String str) {
        Map map = (Map) Optional.ofNullable(clientRepresentation.getAttributes()).orElse(new HashMap());
        map.put("ciba.backchannel.token.delivery.mode", str);
        map.put("ciba.backchannel.client.notification.endpoint", TestApplicationResourceUrls.cibaClientNotificationEndpointUri());
        map.put("oidc.ciba.grant.enabled", Boolean.TRUE.toString());
        clientRepresentation.setAttributes(map);
        ArrayList arrayList = new ArrayList(OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).getRequestUris());
        arrayList.add(TestApplicationResourceUrls.clientRequestUri());
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).setRequestUris(arrayList);
        clientResource.update(clientRepresentation);
    }

    private void revertCIBASettings(ClientResource clientResource, ClientRepresentation clientRepresentation) {
        Map map = (Map) Optional.ofNullable(clientRepresentation.getAttributes()).orElse(new HashMap());
        map.remove("ciba.backchannel.token.delivery.mode");
        map.remove("oidc.ciba.grant.enabled", Boolean.TRUE.toString());
        map.remove("ciba.backchannel.client.notification.endpoint");
        clientRepresentation.setAttributes(map);
        ArrayList arrayList = new ArrayList(OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).getRequestUris());
        arrayList.remove(TestApplicationResourceUrls.clientRequestUri());
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).setRequestUris(arrayList);
        clientResource.update(clientRepresentation);
    }

    private RealmRepresentation backupCIBAPolicy() {
        RealmRepresentation representation = testRealm().toRepresentation();
        Map map = (Map) Optional.ofNullable(representation.getAttributes()).orElse(new HashMap());
        this.cibaBackchannelTokenDeliveryMode = (String) map.get("cibaBackchannelTokenDeliveryMode");
        this.cibaExpiresIn = Integer.valueOf(Integer.parseInt((String) map.get("cibaExpiresIn")));
        this.cibaInterval = Integer.valueOf(Integer.parseInt((String) map.get("cibaInterval")));
        this.cibaAuthRequestedUserHint = (String) map.get("cibaAuthRequestedUserHint");
        return representation;
    }

    private void restoreCIBAPolicy() {
        RealmRepresentation representation = testRealm().toRepresentation();
        Map map = (Map) Optional.ofNullable(representation.getAttributes()).orElse(new HashMap());
        map.put("cibaBackchannelTokenDeliveryMode", this.cibaBackchannelTokenDeliveryMode);
        map.put("cibaExpiresIn", String.valueOf(this.cibaExpiresIn));
        map.put("cibaInterval", String.valueOf(this.cibaInterval));
        map.put("cibaAuthRequestedUserHint", this.cibaAuthRequestedUserHint);
        representation.setAttributes(map);
        testRealm().update(representation);
    }

    private OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest(String str, String str2, String str3, String str4) throws Exception {
        return doBackchannelAuthenticationRequest(str, str2, str3, str4, null, null);
    }

    private OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest(String str, String str2, String str3, String str4, String str5, Map<String, String> map) throws Exception {
        OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = this.oauth.doBackchannelAuthenticationRequest(str, str2, str3, str4, (String) null, str5, map);
        MatcherAssert.assertThat(Integer.valueOf(doBackchannelAuthenticationRequest.getStatusCode()), Matchers.is(Matchers.equalTo(200)));
        Assert.assertNotNull(doBackchannelAuthenticationRequest.getAuthReqId());
        return doBackchannelAuthenticationRequest;
    }

    private TestAuthenticationChannelRequest doAuthenticationChannelRequest(String str) {
        return this.testingClient.testApp().oidcClientEndpoints().getAuthenticationChannel(str);
    }

    private EventRepresentation doAuthenticationChannelCallback(TestAuthenticationChannelRequest testAuthenticationChannelRequest) throws Exception {
        MatcherAssert.assertThat(Integer.valueOf(this.oauth.doAuthenticationChannelCallback(testAuthenticationChannelRequest.getBearerToken(), AuthenticationChannelResponse.Status.SUCCEED)), Matchers.is(Matchers.equalTo(200)));
        EventRepresentation eventRepresentation = new EventRepresentation();
        eventRepresentation.setDetails(Collections.emptyMap());
        return eventRepresentation;
    }

    private EventRepresentation doAuthenticationChannelCallbackError(Response.Status status, String str, TestAuthenticationChannelRequest testAuthenticationChannelRequest, AuthenticationChannelResponse.Status status2, String str2, String str3) throws Exception {
        MatcherAssert.assertThat(Integer.valueOf(this.oauth.doAuthenticationChannelCallback(testAuthenticationChannelRequest.getBearerToken(), status2)), Matchers.is(Matchers.equalTo(Integer.valueOf(status.getStatusCode()))));
        return this.events.expect(EventType.LOGIN_ERROR).clearDetails().client(str).error(str3).user((String) null).session(CoreMatchers.nullValue(String.class)).assertEvent();
    }

    private OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest(String str, String str2) throws Exception {
        return doBackchannelAuthenticationTokenRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", str, str2);
    }

    private OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest(String str, String str2, String str3, String str4) throws Exception {
        OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest(str, str2, str4);
        verifyBackchannelAuthenticationTokenRequest(doBackchannelAuthenticationTokenRequest, str, str3);
        return doBackchannelAuthenticationTokenRequest;
    }

    private OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest(String str, String str2, String str3, String str4, CloseableHttpClient closeableHttpClient) throws Exception {
        OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = this.oauth.doBackchannelAuthenticationTokenRequest(str, str2, str4, closeableHttpClient);
        verifyBackchannelAuthenticationTokenRequest(doBackchannelAuthenticationTokenRequest, str, str3);
        return doBackchannelAuthenticationTokenRequest;
    }

    private void verifyBackchannelAuthenticationTokenRequest(OAuthClient.AccessTokenResponse accessTokenResponse, String str, String str2) {
        MatcherAssert.assertThat(Integer.valueOf(accessTokenResponse.getStatusCode()), Matchers.is(Matchers.equalTo(200)));
        this.events.expectAuthReqIdToToken(null, null).clearDetails().user(AssertEvents.isUUID()).client(str).assertEvent();
        MatcherAssert.assertThat(this.oauth.verifyToken(accessTokenResponse.getAccessToken()).getIssuedFor(), Matchers.is(Matchers.equalTo(str)));
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(accessTokenResponse.getRefreshToken());
        MatcherAssert.assertThat(parseRefreshToken.getIssuedFor(), Matchers.is(Matchers.equalTo(str)));
        MatcherAssert.assertThat(parseRefreshToken.getAudience()[0], Matchers.is(Matchers.equalTo(parseRefreshToken.getIssuer())));
        IDToken verifyIDToken = this.oauth.verifyIDToken(accessTokenResponse.getIdToken());
        MatcherAssert.assertThat(verifyIDToken.getPreferredUsername(), Matchers.is(Matchers.equalTo(str2)));
        MatcherAssert.assertThat(verifyIDToken.getIssuedFor(), Matchers.is(Matchers.equalTo(str)));
        MatcherAssert.assertThat(verifyIDToken.getAudience()[0], Matchers.is(Matchers.equalTo(verifyIDToken.getIssuedFor())));
    }

    private String doIntrospectAccessTokenWithClientCredential(OAuthClient.AccessTokenResponse accessTokenResponse, String str) throws IOException {
        String introspectAccessTokenWithClientCredential = this.oauth.introspectAccessTokenWithClientCredential(AssertEvents.DEFAULT_CLIENT_ID, "password", accessTokenResponse.getAccessToken());
        ObjectMapper objectMapper = new ObjectMapper();
        JsonNode readTree = objectMapper.readTree(introspectAccessTokenWithClientCredential);
        MatcherAssert.assertThat(Boolean.valueOf(readTree.get("active").asBoolean()), Matchers.is(Matchers.equalTo(true)));
        MatcherAssert.assertThat(readTree.get("username").asText(), Matchers.is(Matchers.equalTo(str)));
        MatcherAssert.assertThat(readTree.get("client_id").asText(), Matchers.is(Matchers.equalTo(AssertEvents.DEFAULT_CLIENT_ID)));
        TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) objectMapper.readValue(introspectAccessTokenWithClientCredential, TokenMetadataRepresentation.class);
        MatcherAssert.assertThat(Boolean.valueOf(tokenMetadataRepresentation.isActive()), Matchers.is(Matchers.equalTo(true)));
        MatcherAssert.assertThat(tokenMetadataRepresentation.getClientId(), Matchers.is(Matchers.equalTo(AssertEvents.DEFAULT_CLIENT_ID)));
        MatcherAssert.assertThat(tokenMetadataRepresentation.getIssuedFor(), Matchers.is(Matchers.equalTo(AssertEvents.DEFAULT_CLIENT_ID)));
        this.events.expect(EventType.INTROSPECT_TOKEN).user((String) null).clearDetails().assertEvent();
        String introspectAccessTokenWithClientCredential2 = this.oauth.introspectAccessTokenWithClientCredential(AssertEvents.DEFAULT_CLIENT_ID, "password", accessTokenResponse.getRefreshToken());
        JsonNode readTree2 = objectMapper.readTree(introspectAccessTokenWithClientCredential2);
        MatcherAssert.assertThat(Boolean.valueOf(readTree2.get("active").asBoolean()), Matchers.is(Matchers.equalTo(true)));
        MatcherAssert.assertThat(readTree2.get("client_id").asText(), Matchers.is(Matchers.equalTo(AssertEvents.DEFAULT_CLIENT_ID)));
        TokenMetadataRepresentation tokenMetadataRepresentation2 = (TokenMetadataRepresentation) objectMapper.readValue(introspectAccessTokenWithClientCredential2, TokenMetadataRepresentation.class);
        MatcherAssert.assertThat(Boolean.valueOf(tokenMetadataRepresentation2.isActive()), Matchers.is(Matchers.equalTo(true)));
        MatcherAssert.assertThat(tokenMetadataRepresentation2.getClientId(), Matchers.is(Matchers.equalTo(AssertEvents.DEFAULT_CLIENT_ID)));
        MatcherAssert.assertThat(tokenMetadataRepresentation2.getIssuedFor(), Matchers.is(Matchers.equalTo(AssertEvents.DEFAULT_CLIENT_ID)));
        MatcherAssert.assertThat(tokenMetadataRepresentation2.getAudience()[0], Matchers.is(Matchers.equalTo(tokenMetadataRepresentation2.getIssuer())));
        this.events.expect(EventType.INTROSPECT_TOKEN).user((String) null).clearDetails().assertEvent();
        String introspectAccessTokenWithClientCredential3 = this.oauth.introspectAccessTokenWithClientCredential(AssertEvents.DEFAULT_CLIENT_ID, "password", accessTokenResponse.getIdToken());
        JsonNode readTree3 = objectMapper.readTree(introspectAccessTokenWithClientCredential3);
        MatcherAssert.assertThat(Boolean.valueOf(readTree3.get("active").asBoolean()), Matchers.is(Matchers.equalTo(true)));
        MatcherAssert.assertThat(readTree3.get("client_id").asText(), Matchers.is(Matchers.equalTo(AssertEvents.DEFAULT_CLIENT_ID)));
        TokenMetadataRepresentation tokenMetadataRepresentation3 = (TokenMetadataRepresentation) objectMapper.readValue(introspectAccessTokenWithClientCredential3, TokenMetadataRepresentation.class);
        MatcherAssert.assertThat(Boolean.valueOf(tokenMetadataRepresentation3.isActive()), Matchers.is(Matchers.equalTo(true)));
        MatcherAssert.assertThat(tokenMetadataRepresentation3.getUserName(), Matchers.is(Matchers.equalTo(str)));
        MatcherAssert.assertThat(tokenMetadataRepresentation3.getClientId(), Matchers.is(Matchers.equalTo(AssertEvents.DEFAULT_CLIENT_ID)));
        MatcherAssert.assertThat(tokenMetadataRepresentation3.getIssuedFor(), Matchers.is(Matchers.equalTo(AssertEvents.DEFAULT_CLIENT_ID)));
        MatcherAssert.assertThat(tokenMetadataRepresentation3.getPreferredUsername(), Matchers.is(Matchers.equalTo(str)));
        MatcherAssert.assertThat(tokenMetadataRepresentation3.getAudience()[0], Matchers.is(Matchers.equalTo(tokenMetadataRepresentation3.getIssuedFor())));
        this.events.expect(EventType.INTROSPECT_TOKEN).user((String) null).clearDetails().assertEvent();
        return introspectAccessTokenWithClientCredential3;
    }

    private OAuthClient.AccessTokenResponse doRefreshTokenRequest(String str, String str2, String str3, boolean z) {
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(str, "password");
        MatcherAssert.assertThat(Integer.valueOf(doRefreshTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(200)));
        AccessToken verifyToken = this.oauth.verifyToken(doRefreshTokenRequest.getAccessToken());
        MatcherAssert.assertThat(verifyToken.getIssuedFor(), Matchers.is(Matchers.equalTo(AssertEvents.DEFAULT_CLIENT_ID)));
        checkTokenExpiration(verifyToken, doRefreshTokenRequest.getExpiresIn());
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(doRefreshTokenRequest.getRefreshToken());
        MatcherAssert.assertThat(parseRefreshToken.getIssuedFor(), Matchers.is(Matchers.equalTo(AssertEvents.DEFAULT_CLIENT_ID)));
        MatcherAssert.assertThat(parseRefreshToken.getAudience()[0], Matchers.is(Matchers.equalTo(parseRefreshToken.getIssuer())));
        if (!z) {
            checkTokenExpiration(parseRefreshToken, doRefreshTokenRequest.getRefreshExpiresIn());
        }
        IDToken verifyIDToken = this.oauth.verifyIDToken(doRefreshTokenRequest.getIdToken());
        MatcherAssert.assertThat(verifyIDToken.getPreferredUsername(), Matchers.is(Matchers.equalTo(str2)));
        MatcherAssert.assertThat(verifyIDToken.getIssuedFor(), Matchers.is(Matchers.equalTo(AssertEvents.DEFAULT_CLIENT_ID)));
        MatcherAssert.assertThat(verifyIDToken.getAudience()[0], Matchers.is(Matchers.equalTo(verifyIDToken.getIssuedFor())));
        checkTokenExpiration(verifyIDToken, doRefreshTokenRequest.getExpiresIn());
        this.events.expectRefresh(doRefreshTokenRequest.getRefreshToken(), str3).session(CoreMatchers.notNullValue(String.class)).user(AssertEvents.isUUID()).clearDetails().assertEvent();
        return doRefreshTokenRequest;
    }

    private void checkTokenExpiration(JsonWebToken jsonWebToken, long j) {
        MatcherAssert.assertThat(jsonWebToken, Matchers.notNullValue());
        Long exp = jsonWebToken.getExp();
        Long iat = jsonWebToken.getIat();
        MatcherAssert.assertThat(exp, Matchers.notNullValue());
        MatcherAssert.assertThat(iat, Matchers.notNullValue());
        org.keycloak.testsuite.Assert.assertExpiration(exp.longValue(), iat.longValue() + j);
    }

    private EventRepresentation doLogoutByRefreshToken(String str, String str2, String str3, boolean z) throws IOException {
        CloseableHttpResponse doLogout = this.oauth.doLogout(str, "password");
        Throwable th = null;
        try {
            try {
                MatcherAssert.assertThat(doLogout, org.keycloak.testsuite.util.Matchers.statusCodeIsHC(Response.Status.NO_CONTENT));
                if (doLogout != null) {
                    if (0 != 0) {
                        try {
                            doLogout.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        doLogout.close();
                    }
                }
                OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(str, "password");
                MatcherAssert.assertThat(Integer.valueOf(doRefreshTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
                MatcherAssert.assertThat(doRefreshTokenRequest.getError(), Matchers.is(Matchers.equalTo("invalid_grant")));
                if (z) {
                    MatcherAssert.assertThat(doRefreshTokenRequest.getErrorDescription(), Matchers.is(Matchers.equalTo("Offline user session not found")));
                } else {
                    MatcherAssert.assertThat(doRefreshTokenRequest.getErrorDescription(), Matchers.is(Matchers.equalTo("Session not active")));
                }
                return this.events.expectLogout(str2).client(AssertEvents.DEFAULT_CLIENT_ID).user(AssertEvents.isUUID()).session(AssertEvents.isUUID()).clearDetails().assertEvent();
            } finally {
            }
        } catch (Throwable th3) {
            if (doLogout != null) {
                if (th != null) {
                    try {
                        doLogout.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    doLogout.close();
                }
            }
            throw th3;
        }
    }

    private EventRepresentation doTokenRevokeByRefreshToken(String str, String str2, String str3, boolean z) throws IOException {
        CloseableHttpResponse doTokenRevoke = this.oauth.doTokenRevoke(str, "refresh_token", "password");
        Throwable th = null;
        try {
            MatcherAssert.assertThat(doTokenRevoke, org.keycloak.testsuite.util.Matchers.statusCodeIsHC(Response.Status.OK));
            if (doTokenRevoke != null) {
                if (0 != 0) {
                    try {
                        doTokenRevoke.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    doTokenRevoke.close();
                }
            }
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(str, "password");
            MatcherAssert.assertThat(Integer.valueOf(doRefreshTokenRequest.getStatusCode()), Matchers.is(Matchers.equalTo(400)));
            MatcherAssert.assertThat(doRefreshTokenRequest.getError(), Matchers.is(Matchers.equalTo("invalid_grant")));
            if (z) {
                MatcherAssert.assertThat(doRefreshTokenRequest.getErrorDescription(), Matchers.is(Matchers.equalTo("Offline user session not found")));
            } else {
                MatcherAssert.assertThat(doRefreshTokenRequest.getErrorDescription(), Matchers.is(Matchers.equalTo("Session not active")));
            }
            return this.events.expect(EventType.REVOKE_GRANT).clearDetails().client(AssertEvents.DEFAULT_CLIENT_ID).user(AssertEvents.isUUID()).assertEvent();
        } catch (Throwable th3) {
            if (doTokenRevoke != null) {
                if (0 != 0) {
                    try {
                        doTokenRevoke.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    doTokenRevoke.close();
                }
            }
            throw th3;
        }
    }

    private void testBackchannelAuthenticationFlow(boolean z) throws Exception {
        testBackchannelAuthenticationFlow(z, "BASTION");
    }

    private void testBackchannelAuthenticationFlow(boolean z, String str) throws Exception {
        ClientResource clientResource = null;
        ClientRepresentation clientRepresentation = null;
        try {
            HashMap hashMap = new HashMap();
            hashMap.put("user_device", "mobile");
            clientResource = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            MatcherAssert.assertThat(clientResource, Matchers.notNullValue());
            clientRepresentation = clientResource.toRepresentation();
            prepareCIBASettings(clientResource, clientRepresentation);
            if (z) {
                this.oauth.scope("offline_access");
            }
            long currentTime = Time.currentTime();
            OAuthClient.AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest = doBackchannelAuthenticationRequest(AssertEvents.DEFAULT_CLIENT_ID, "password", "nutzername-rot", str, null, hashMap);
            TestAuthenticationChannelRequest doAuthenticationChannelRequest = doAuthenticationChannelRequest(str);
            AuthenticationChannelRequest request = doAuthenticationChannelRequest.getRequest();
            MatcherAssert.assertThat(request.getBindingMessage(), Matchers.is(Matchers.equalTo(str)));
            if (z) {
                MatcherAssert.assertThat(request.getScope(), Matchers.is(Matchers.containsString("offline_access")));
            }
            MatcherAssert.assertThat(request.getScope(), Matchers.is(Matchers.containsString("openid")));
            MatcherAssert.assertThat(request.getAdditionalParameters().get("user_device"), Matchers.is(Matchers.equalTo("mobile")));
            EventRepresentation doAuthenticationChannelCallback = doAuthenticationChannelCallback(doAuthenticationChannelRequest);
            String sessionId = doAuthenticationChannelCallback.getSessionId();
            String userId = doAuthenticationChannelCallback.getUserId();
            OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest = doBackchannelAuthenticationTokenRequest("nutzername-rot", doBackchannelAuthenticationRequest.getAuthReqId());
            IDToken verifyIDToken = this.oauth.verifyIDToken(doBackchannelAuthenticationTokenRequest.getIdToken());
            long currentTime2 = Time.currentTime();
            long longValue = verifyIDToken.getAuth_time().longValue();
            Assert.assertTrue(currentTime - 5 <= longValue);
            Assert.assertTrue(longValue <= currentTime2 + 5);
            doIntrospectAccessTokenWithClientCredential(doBackchannelAuthenticationTokenRequest, "nutzername-rot");
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = doRefreshTokenRequest(doBackchannelAuthenticationTokenRequest.getRefreshToken(), "nutzername-rot", sessionId, z);
            doIntrospectAccessTokenWithClientCredential(doRefreshTokenRequest, "nutzername-rot");
            doLogoutByRefreshToken(doRefreshTokenRequest.getRefreshToken(), sessionId, userId, z);
            revertCIBASettings(clientResource, clientRepresentation);
        } catch (Throwable th) {
            revertCIBASettings(clientResource, clientRepresentation);
            throw th;
        }
    }
}
