package org.keycloak.testsuite.oidc;

import java.net.URI;
import java.security.PublicKey;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.Entity;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.jboss.resteasy.client.jaxrs.ResteasyClient;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientScopesResource;
import org.keycloak.admin.client.resource.ProtocolMappersResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.common.util.PemUtils;
import org.keycloak.common.util.Time;
import org.keycloak.events.EventType;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.UserInfo;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.services.Urls;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.KeycloakModelUtils;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.TokenSignatureUtil;
import org.keycloak.testsuite.util.UserInfoClientUtil;
import org.keycloak.util.BasicAuthHelper;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/testsuite/oidc/UserInfoTest.class */
public class UserInfoTest extends AbstractKeycloakTest {

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
    }

    @Before
    public void clientConfiguration() {
        ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).directAccessGrant(true);
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmRepresentation build = RealmBuilder.edit((RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class)).testEventListener().build();
        list.add(build);
        ClientRepresentation createClient = KeycloakModelUtils.createClient(build, "saml-client");
        createClient.setSecret("secret");
        createClient.setServiceAccountsEnabled(true);
        createClient.setDirectAccessGrantsEnabled(true);
    }

    @Test
    public void testSuccess_getMethod_header() throws Exception {
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            testRolesAreNotInUserInfoResponse(testSuccessfulUserInfoResponse(UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, executeGrantAccessTokenRequest(createResteasyClient).getToken())));
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void testSuccess_postMethod_header() throws Exception {
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            testSuccessfulUserInfoResponse(UserInfoClientUtil.getUserInfoWebTarget(createResteasyClient).request().header("Authorization", "bearer " + executeGrantAccessTokenRequest(createResteasyClient).getToken()).post(Entity.form(new Form())));
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void testSuccess_postMethod_body() throws Exception {
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            AccessTokenResponse executeGrantAccessTokenRequest = executeGrantAccessTokenRequest(createResteasyClient);
            Form form = new Form();
            form.param("access_token", executeGrantAccessTokenRequest.getToken());
            testSuccessfulUserInfoResponse(UserInfoClientUtil.getUserInfoWebTarget(createResteasyClient).request().post(Entity.form(form)));
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void testSuccess_dotsInClientId() throws Exception {
        ClientRepresentation build = ClientBuilder.create().clientId("my.foo.client").addRedirectUri("http://foo.host").secret("password").directAccessGrants().build();
        RealmResource realm = this.adminClient.realm("test");
        Response create = realm.clients().create(build);
        String createdId = ApiUtil.getCreatedId(create);
        create.close();
        getCleanup().addClientUuid(createdId);
        realm.clients().get(createdId).roles().create(RoleBuilder.create().name("my.foo.role").build());
        ApiUtil.findUserByUsernameId(realm, AssertEvents.DEFAULT_USERNAME).roles().clientLevel(createdId).add(Collections.singletonList(realm.clients().get(createdId).roles().get("my.foo.role").toRepresentation()));
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.clientId("my.foo.client").doGrantAccessTokenRequest("password", AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertNames(this.oauth.verifyToken(doGrantAccessTokenRequest.getAccessToken()).getResourceAccess("my.foo.client").getRoles(), "my.foo.role");
        this.events.clear();
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            testSuccessfulUserInfoResponse(UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, doGrantAccessTokenRequest.getAccessToken()), "my.foo.client");
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void testSuccess_postMethod_header_textEntity() throws Exception {
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            testSuccessfulUserInfoResponse(UserInfoClientUtil.getUserInfoWebTarget(createResteasyClient).request().header("Authorization", "bearer " + executeGrantAccessTokenRequest(createResteasyClient).getToken()).post(Entity.text("")));
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void testSuccessSignedResponse() throws Exception {
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setUserInfoSignedResponseAlg(Algorithm.RS256);
        findClientByClientId.update(representation);
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            Response executeUserInfoRequest_getMethod = UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, executeGrantAccessTokenRequest(createResteasyClient).getToken());
            this.events.expect(EventType.USER_INFO_REQUEST).session(Matchers.notNullValue(String.class)).detail("auth_method", "validate_access_token").detail("username", AssertEvents.DEFAULT_USERNAME).detail("signature_required", "true").detail("signature_algorithm", Algorithm.RS256.toString()).assertEvent();
            PublicKey decodePublicKey = PemUtils.decodePublicKey(ApiUtil.findActiveSigningKey(this.adminClient.realm("test")).getPublicKey());
            Assert.assertEquals(200L, executeUserInfoRequest_getMethod.getStatus());
            Assert.assertEquals(executeUserInfoRequest_getMethod.getHeaderString("Content-Type"), "application/jwt");
            String str = (String) executeUserInfoRequest_getMethod.readEntity(String.class);
            executeUserInfoRequest_getMethod.close();
            JWSInput jWSInput = new JWSInput(str);
            Assert.assertTrue(RSAProvider.verify(jWSInput, decodePublicKey));
            UserInfo userInfo = (UserInfo) JsonSerialization.readValue(jWSInput.getContent(), UserInfo.class);
            Assert.assertNotNull(userInfo);
            Assert.assertNotNull(userInfo.getSubject());
            Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, userInfo.getEmail());
            Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, userInfo.getPreferredUsername());
            Assert.assertTrue(userInfo.hasAudience(AssertEvents.DEFAULT_CLIENT_ID));
            Assert.assertEquals(Urls.realmIssuer(new URI(OAuthClient.AUTH_SERVER_ROOT), "test"), userInfo.getIssuer());
            createResteasyClient.close();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setUserInfoSignedResponseAlg((Algorithm) null);
            findClientByClientId.update(representation);
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void testSuccessSignedResponseES256() throws Exception {
        testSuccessSignedResponse(Algorithm.ES256);
    }

    @Test
    public void testSuccessSignedResponsePS256() throws Exception {
        testSuccessSignedResponse(Algorithm.PS256);
    }

    @Test
    public void testSessionExpired() {
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            AccessTokenResponse executeGrantAccessTokenRequest = executeGrantAccessTokenRequest(createResteasyClient);
            this.testingClient.testing().removeUserSessions("test");
            Response executeUserInfoRequest_getMethod = UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, executeGrantAccessTokenRequest.getToken());
            org.junit.Assert.assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), executeUserInfoRequest_getMethod.getStatus());
            String headerString = executeUserInfoRequest_getMethod.getHeaderString("WWW-Authenticate");
            org.junit.Assert.assertNotNull(headerString);
            org.junit.Assert.assertThat(headerString, CoreMatchers.containsString("Bearer"));
            org.junit.Assert.assertThat(headerString, CoreMatchers.containsString("realm=\"test\""));
            org.junit.Assert.assertThat(headerString, CoreMatchers.containsString("error=\"invalid_request\""));
            executeUserInfoRequest_getMethod.close();
            this.events.expect(EventType.USER_INFO_REQUEST_ERROR).error("user_session_not_found").user(Matchers.nullValue(String.class)).session(Matchers.nullValue(String.class)).detail("auth_method", "validate_access_token").assertEvent();
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void testAccessTokenExpired() {
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            AccessTokenResponse executeGrantAccessTokenRequest = executeGrantAccessTokenRequest(createResteasyClient);
            setTimeOffset(600);
            Response executeUserInfoRequest_getMethod = UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, executeGrantAccessTokenRequest.getToken());
            org.junit.Assert.assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), executeUserInfoRequest_getMethod.getStatus());
            String headerString = executeUserInfoRequest_getMethod.getHeaderString("WWW-Authenticate");
            org.junit.Assert.assertNotNull(headerString);
            org.junit.Assert.assertThat(headerString, CoreMatchers.containsString("Bearer"));
            org.junit.Assert.assertThat(headerString, CoreMatchers.containsString("error=\"invalid_token\""));
            executeUserInfoRequest_getMethod.close();
            this.events.expect(EventType.USER_INFO_REQUEST_ERROR).error("invalid_token").user(Matchers.nullValue(String.class)).session(Matchers.nullValue(String.class)).detail("auth_method", "validate_access_token").client((String) null).assertEvent();
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void testAccessTokenAfterUserSessionLogoutAndLoginAgain() {
        OAuthClient.AccessTokenResponse loginAndForceNewLoginPage = loginAndForceNewLoginPage();
        this.oauth.doLogout(loginAndForceNewLoginPage.getRefreshToken(), "password");
        this.events.clear();
        setTimeOffset(2);
        this.oauth.fillLoginForm(AssertEvents.DEFAULT_USERNAME, "password");
        this.events.expectLogin().assertEvent();
        Assert.assertFalse(this.loginPage.isCurrent());
        this.events.clear();
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            Response executeUserInfoRequest_getMethod = UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, loginAndForceNewLoginPage.getAccessToken());
            org.junit.Assert.assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), executeUserInfoRequest_getMethod.getStatus());
            String headerString = executeUserInfoRequest_getMethod.getHeaderString("WWW-Authenticate");
            org.junit.Assert.assertNotNull(headerString);
            org.junit.Assert.assertThat(headerString, CoreMatchers.containsString("Bearer"));
            org.junit.Assert.assertThat(headerString, CoreMatchers.containsString("error=\"invalid_token\""));
            executeUserInfoRequest_getMethod.close();
            this.events.expect(EventType.USER_INFO_REQUEST_ERROR).error("invalid_token").user(Matchers.nullValue(String.class)).session(Matchers.nullValue(String.class)).detail("auth_method", "validate_access_token").client(AssertEvents.DEFAULT_CLIENT_ID).assertEvent();
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void testNotBeforeTokens() {
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            AccessTokenResponse executeGrantAccessTokenRequest = executeGrantAccessTokenRequest(createResteasyClient);
            int currentTime = Time.currentTime() + 60;
            RealmResource realm = this.adminClient.realm("test");
            RealmRepresentation representation = realm.toRepresentation();
            representation.setNotBefore(Integer.valueOf(currentTime));
            realm.update(representation);
            Response executeUserInfoRequest_getMethod = UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, executeGrantAccessTokenRequest.getToken());
            org.junit.Assert.assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), executeUserInfoRequest_getMethod.getStatus());
            executeUserInfoRequest_getMethod.close();
            this.events.expect(EventType.USER_INFO_REQUEST_ERROR).error("invalid_token").user(Matchers.nullValue(String.class)).session(Matchers.nullValue(String.class)).detail("auth_method", "validate_access_token").client((String) null).assertEvent();
            this.events.clear();
            representation.setNotBefore(0);
            realm.update(representation);
            ClientResource clientResource = realm.clients().get(((ClientRepresentation) realm.clients().findByClientId(AssertEvents.DEFAULT_CLIENT_ID).get(0)).getId());
            ClientRepresentation representation2 = clientResource.toRepresentation();
            representation2.setNotBefore(Integer.valueOf(currentTime));
            clientResource.update(representation2);
            Response executeUserInfoRequest_getMethod2 = UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, executeGrantAccessTokenRequest.getToken());
            org.junit.Assert.assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), executeUserInfoRequest_getMethod2.getStatus());
            executeUserInfoRequest_getMethod2.close();
            this.events.expect(EventType.USER_INFO_REQUEST_ERROR).error("invalid_token").user(Matchers.nullValue(String.class)).session(Matchers.nullValue(String.class)).detail("auth_method", "validate_access_token").client((String) null).assertEvent();
            representation2.setNotBefore(0);
            clientResource.update(representation2);
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void testSessionExpiredOfflineAccess() throws Exception {
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            AccessTokenResponse executeGrantAccessTokenRequest = executeGrantAccessTokenRequest(createResteasyClient, true);
            this.testingClient.testing().removeUserSessions("test");
            Response executeUserInfoRequest_getMethod = UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, executeGrantAccessTokenRequest.getToken());
            testSuccessfulUserInfoResponse(executeUserInfoRequest_getMethod);
            executeUserInfoRequest_getMethod.close();
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void testUnsuccessfulUserInfoRequest() throws Exception {
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            Response executeUserInfoRequest_getMethod = UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, "bad");
            executeUserInfoRequest_getMethod.close();
            org.junit.Assert.assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), executeUserInfoRequest_getMethod.getStatus());
            String headerString = executeUserInfoRequest_getMethod.getHeaderString("WWW-Authenticate");
            org.junit.Assert.assertNotNull(headerString);
            org.junit.Assert.assertThat(headerString, CoreMatchers.containsString("Bearer"));
            org.junit.Assert.assertThat(headerString, CoreMatchers.containsString("error=\"invalid_token\""));
            this.events.expect(EventType.USER_INFO_REQUEST_ERROR).error("invalid_token").client((String) null).user(Matchers.nullValue(String.class)).session(Matchers.nullValue(String.class)).detail("auth_method", "validate_access_token").assertEvent();
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void testUnsuccessfulUserInfoRequestWithEmptyAccessToken() {
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, "").close();
            org.junit.Assert.assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), r0.getStatus());
        } finally {
            createResteasyClient.close();
        }
    }

    @Test
    public void testUserInfoRequestWithSamlClient() throws Exception {
        String accessToken = this.oauth.doGrantAccessTokenRequest("test", AssertEvents.DEFAULT_USERNAME, "password", (String) null, "saml-client", "secret").getAccessToken();
        ClientRepresentation clientRepresentation = (ClientRepresentation) this.adminClient.realm("test").clients().findByClientId("saml-client").get(0);
        clientRepresentation.setProtocol("saml");
        this.adminClient.realm("test").clients().get(clientRepresentation.getId()).update(clientRepresentation);
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            this.events.clear();
            UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, accessToken).close();
            org.junit.Assert.assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), r0.getStatus());
            this.events.expect(EventType.USER_INFO_REQUEST).error("invalid_client").client((String) null).user(Matchers.nullValue(String.class)).session(Matchers.nullValue(String.class)).detail("auth_method", "validate_access_token").assertEvent();
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void testRolesAreAvailable_getMethod_header() throws Exception {
        switchIncludeRolesInUserInfoEndpoint(true);
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            testRolesInUserInfoResponse(testSuccessfulUserInfoResponse(UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, executeGrantAccessTokenRequest(createResteasyClient).getToken())));
            createResteasyClient.close();
            switchIncludeRolesInUserInfoEndpoint(false);
        } catch (Throwable th) {
            createResteasyClient.close();
            switchIncludeRolesInUserInfoEndpoint(false);
            throw th;
        }
    }

    private AccessTokenResponse executeGrantAccessTokenRequest(Client client) {
        return executeGrantAccessTokenRequest(client, false);
    }

    private AccessTokenResponse executeGrantAccessTokenRequest(Client client, boolean z) {
        WebTarget target = client.target(OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test"}));
        String createHeader = BasicAuthHelper.createHeader(AssertEvents.DEFAULT_CLIENT_ID, "password");
        Form form = new Form();
        form.param("grant_type", "password").param("username", AssertEvents.DEFAULT_USERNAME).param("password", "password");
        if (z) {
            form.param("scope", "offline_access");
        }
        Response post = target.request().header("Authorization", createHeader).post(Entity.form(form));
        org.junit.Assert.assertEquals(200L, post.getStatus());
        AccessTokenResponse accessTokenResponse = (AccessTokenResponse) post.readEntity(AccessTokenResponse.class);
        post.close();
        this.events.clear();
        return accessTokenResponse;
    }

    private UserInfo testSuccessfulUserInfoResponse(Response response) {
        return testSuccessfulUserInfoResponse(response, AssertEvents.DEFAULT_CLIENT_ID);
    }

    private UserInfo testSuccessfulUserInfoResponse(Response response, String str) {
        this.events.expect(EventType.USER_INFO_REQUEST).session(Matchers.notNullValue(String.class)).detail("auth_method", "validate_access_token").detail("username", AssertEvents.DEFAULT_USERNAME).detail("signature_required", "false").client(str).assertEvent();
        return UserInfoClientUtil.testSuccessfulUserInfoResponse(response, AssertEvents.DEFAULT_USERNAME, AssertEvents.DEFAULT_USERNAME);
    }

    private void testSuccessSignedResponse(Algorithm algorithm) throws Exception {
        try {
            ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            ClientRepresentation representation = findClientByClientId.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setUserInfoSignedResponseAlg(algorithm);
            findClientByClientId.update(representation);
            ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
            try {
                Response executeUserInfoRequest_getMethod = UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, executeGrantAccessTokenRequest(createResteasyClient).getToken());
                this.events.expect(EventType.USER_INFO_REQUEST).session(Matchers.notNullValue(String.class)).detail("auth_method", "validate_access_token").detail("username", AssertEvents.DEFAULT_USERNAME).detail("signature_required", "true").detail("signature_algorithm", algorithm.toString()).assertEvent();
                Assert.assertEquals(200L, executeUserInfoRequest_getMethod.getStatus());
                Assert.assertEquals(executeUserInfoRequest_getMethod.getHeaderString("Content-Type"), "application/jwt");
                String str = (String) executeUserInfoRequest_getMethod.readEntity(String.class);
                executeUserInfoRequest_getMethod.close();
                JWSInput jWSInput = new JWSInput(str);
                org.junit.Assert.assertEquals(algorithm.toString(), jWSInput.getHeader().getAlgorithm().name());
                UserInfo userInfo = (UserInfo) JsonSerialization.readValue(jWSInput.getContent(), UserInfo.class);
                Assert.assertNotNull(userInfo);
                Assert.assertNotNull(userInfo.getSubject());
                Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, userInfo.getEmail());
                Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, userInfo.getPreferredUsername());
                Assert.assertTrue(userInfo.hasAudience(AssertEvents.DEFAULT_CLIENT_ID));
                Assert.assertEquals(Urls.realmIssuer(new URI(OAuthClient.AUTH_SERVER_ROOT), "test"), userInfo.getIssuer());
                createResteasyClient.close();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setUserInfoSignedResponseAlg((Algorithm) null);
                findClientByClientId.update(representation);
                TokenSignatureUtil.changeRealmTokenSignatureProvider(this.adminClient, "RS256");
            } catch (Throwable th) {
                createResteasyClient.close();
                throw th;
            }
        } catch (Throwable th2) {
            TokenSignatureUtil.changeRealmTokenSignatureProvider(this.adminClient, "RS256");
            throw th2;
        }
    }

    private OAuthClient.AccessTokenResponse loginAndForceNewLoginPage() {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String str = (String) this.oauth.getCurrentQuery().get("code");
        this.oauth.clientSessionState("client-session");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str, "password");
        setTimeOffset(1);
        this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).queryParam("prompt", new Object[]{"login"}).build(new Object[0]).toString());
        this.loginPage.assertCurrent();
        return doAccessTokenRequest;
    }

    private void switchIncludeRolesInUserInfoEndpoint(boolean z) {
        ClientScopesResource clientScopes = this.adminClient.realm("test").clientScopes();
        ProtocolMappersResource protocolMappers = clientScopes.get(((ClientScopeRepresentation) clientScopes.findAll().stream().filter(clientScopeRepresentation -> {
            return "roles".equals(clientScopeRepresentation.getName());
        }).findAny().get()).getId()).getProtocolMappers();
        ProtocolMapperRepresentation protocolMapperRepresentation = (ProtocolMapperRepresentation) protocolMappers.getMappers().stream().filter(protocolMapperRepresentation2 -> {
            return "realm roles".equals(protocolMapperRepresentation2.getName());
        }).findAny().get();
        protocolMapperRepresentation.getConfig().put("userinfo.token.claim", String.valueOf(z));
        ProtocolMapperRepresentation protocolMapperRepresentation3 = (ProtocolMapperRepresentation) protocolMappers.getMappers().stream().filter(protocolMapperRepresentation4 -> {
            return "client roles".equals(protocolMapperRepresentation4.getName());
        }).findAny().get();
        protocolMapperRepresentation3.getConfig().put("userinfo.token.claim", String.valueOf(z));
        protocolMappers.update(protocolMapperRepresentation.getId(), protocolMapperRepresentation);
        protocolMappers.update(protocolMapperRepresentation3.getId(), protocolMapperRepresentation3);
    }

    private void testRolesInUserInfoResponse(UserInfo userInfo) {
        Map map = (Map) userInfo.getOtherClaims().get("realm_access");
        Map map2 = (Map) userInfo.getOtherClaims().get("resource_access");
        MatcherAssert.assertThat(map.get("roles"), CoreMatchers.hasItems(new String[]{"offline_access", "user"}));
        MatcherAssert.assertThat(((Map) map2.get(AssertEvents.DEFAULT_CLIENT_ID)).get("roles"), CoreMatchers.hasItems(new String[]{"customer-user"}));
    }

    private void testRolesAreNotInUserInfoResponse(UserInfo userInfo) {
        org.junit.Assert.assertNull(userInfo.getOtherClaims().get("realm_access"));
        org.junit.Assert.assertNull(userInfo.getOtherClaims().get("resource_access"));
    }
}
