package org.keycloak.testsuite.par;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.ws.rs.core.UriBuilder;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.Time;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.oidc.OIDCClientRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.client.AbstractClientPoliciesTest;
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
import org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource;
import org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.ClientPoliciesUtil;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/testsuite/par/ParTest.class */
public class ParTest extends AbstractClientPoliciesTest {
    private static final String TEST_USER_NAME = "test-user@localhost";
    private static final String TEST_USER_PASSWORD = "password";
    private static final String TEST_USER2_NAME = "john-doh@localhost";
    private static final String TEST_USER2_PASSWORD = "password";
    private static final String CLIENT_NAME = "Zahlungs-App";
    private static final String CLIENT_REDIRECT_URI = "https://localhost:8543/auth/realms/test/app/auth/cb";
    private static final String IMAGINARY_REQUEST_URI = "urn:ietf:params:oauth:request_uri:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
    private static final int DEFAULT_REQUEST_URI_LIFESPAN = 60;
    private static final String VALID_CORS_URL = "http://localtest.me:8180";
    private static final String INVALID_CORS_URL = "http://invalid.localtest.me:8180";

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmRepresentation realmRepresentation = (RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class);
        List users = realmRepresentation.getUsers();
        LinkedList linkedList = new LinkedList();
        CredentialRepresentation credentialRepresentation = new CredentialRepresentation();
        credentialRepresentation.setType("password");
        credentialRepresentation.setValue("password");
        linkedList.add(credentialRepresentation);
        UserRepresentation userRepresentation = new UserRepresentation();
        userRepresentation.setEnabled(true);
        userRepresentation.setUsername("manage-clients");
        userRepresentation.setCredentials(linkedList);
        userRepresentation.setClientRoles(Collections.singletonMap("realm-management", Collections.singletonList(AdminRoles.MANAGE_CLIENTS)));
        users.add(userRepresentation);
        UserRepresentation userRepresentation2 = new UserRepresentation();
        userRepresentation2.setEnabled(true);
        userRepresentation2.setUsername("create-clients");
        userRepresentation2.setCredentials(linkedList);
        userRepresentation2.setClientRoles(Collections.singletonMap("realm-management", Collections.singletonList(AdminRoles.CREATE_CLIENT)));
        userRepresentation2.setGroups(Arrays.asList("topGroup"));
        users.add(userRepresentation2);
        realmRepresentation.setUsers(users);
        realmRepresentation.getClients().add(ClientBuilder.create().redirectUris("http://localtest.me:8180/realms/master/app").addWebOrigin(VALID_CORS_URL).clientId("test-app2").publicClient().directAccessGrants().build());
        list.add(realmRepresentation);
    }

    @Test
    public void testSuccessfulSinglePar() throws Exception {
        try {
            setParRealmSettings(45);
            String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
                oIDCClientRepresentation.setRequirePushedAuthorizationRequests(Boolean.TRUE);
                oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
            });
            OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
            String clientSecret = clientDynamically.getClientSecret();
            Assert.assertEquals(Boolean.TRUE, clientDynamically.getRequirePushedAuthorizationRequests());
            Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
            Assert.assertEquals("client_secret_basic", clientDynamically.getTokenEndpointAuthMethod());
            this.oauth.clientId(createClientDynamically);
            this.oauth.redirectUri(CLIENT_REDIRECT_URI);
            OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
            Assert.assertEquals(201L, doPushedAuthorizationRequest.getStatusCode());
            String requestUri = doPushedAuthorizationRequest.getRequestUri();
            Assert.assertEquals(45, doPushedAuthorizationRequest.getExpiresIn());
            this.oauth.redirectUri((String) null);
            this.oauth.scope((String) null);
            this.oauth.responseType((String) null);
            this.oauth.requestUri(requestUri);
            String state = this.oauth.stateParamRandom().getState();
            this.oauth.stateParamHardcoded(state);
            OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin("test-user@localhost", "password");
            Assert.assertEquals(state, doLogin.getState());
            String code = doLogin.getCode();
            String sessionState = doLogin.getSessionState();
            this.oauth.redirectUri(CLIENT_REDIRECT_URI);
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(code, clientSecret);
            Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
            AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
            Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), "test-user@localhost").getId(), verifyToken.getSubject());
            Assert.assertEquals(sessionState, verifyToken.getSessionState());
            Assert.assertNotEquals("test-user@localhost", verifyToken.getSubject());
            Assert.assertEquals(createClientDynamically, verifyToken.getIssuedFor());
            String refreshToken = doAccessTokenRequest.getRefreshToken();
            RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(refreshToken);
            Assert.assertEquals(sessionState, parseRefreshToken.getSessionState());
            Assert.assertEquals(createClientDynamically, parseRefreshToken.getIssuedFor());
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(refreshToken, clientSecret);
            Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
            AccessToken verifyToken2 = this.oauth.verifyToken(doRefreshTokenRequest.getAccessToken());
            RefreshToken parseRefreshToken2 = this.oauth.parseRefreshToken(doRefreshTokenRequest.getRefreshToken());
            Assert.assertEquals(sessionState, verifyToken2.getSessionState());
            Assert.assertEquals(sessionState, parseRefreshToken2.getSessionState());
            Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), "test-user@localhost").getId(), verifyToken2.getSubject());
            this.oauth.doLogout(doRefreshTokenRequest.getRefreshToken(), clientSecret);
            Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), clientSecret).getStatusCode());
            restoreParRealmSettings();
        } catch (Throwable th) {
            restoreParRealmSettings();
            throw th;
        }
    }

    @Test
    public void testWrongSigningAlgorithmForRequestObject() throws Exception {
        try {
            setParRealmSettings(45);
            String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
                oIDCClientRepresentation.setRequirePushedAuthorizationRequests(Boolean.TRUE);
                oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
                oIDCClientRepresentation.setRequestObjectSigningAlg("PS256");
            });
            this.oauth.clientId(createClientDynamically);
            OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
            String clientSecret = clientDynamically.getClientSecret();
            Assert.assertEquals(Boolean.TRUE, clientDynamically.getRequirePushedAuthorizationRequests());
            Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
            Assert.assertEquals("client_secret_basic", clientDynamically.getTokenEndpointAuthMethod());
            TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject authorizationEndpointRequestObject = new TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject();
            authorizationEndpointRequestObject.id(KeycloakModelUtils.generateId());
            authorizationEndpointRequestObject.iat(Long.valueOf(Time.currentTime()));
            Long l = 300L;
            authorizationEndpointRequestObject.exp(Long.valueOf(authorizationEndpointRequestObject.getIat().longValue() + l.longValue()));
            authorizationEndpointRequestObject.nbf(authorizationEndpointRequestObject.getIat());
            authorizationEndpointRequestObject.setClientId(this.oauth.getClientId());
            authorizationEndpointRequestObject.setResponseType("code");
            authorizationEndpointRequestObject.setRedirectUriParam(CLIENT_REDIRECT_URI);
            authorizationEndpointRequestObject.setScope("openid");
            authorizationEndpointRequestObject.setNonce(KeycloakModelUtils.generateId());
            String encode = Base64Url.encode(JsonSerialization.writeValueAsBytes(authorizationEndpointRequestObject));
            TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
            ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm(this.oauth.getRealm()), this.oauth.getClientId());
            ClientRepresentation representation = findClientByClientId.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setUseJwksUrl(true);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setJwksUrl(TestApplicationResourceUrls.clientJwksUri());
            findClientByClientId.update(representation);
            oidcClientEndpoints.generateKeys("RS256");
            oidcClientEndpoints.registerOIDCRequest(encode, "RS256");
            this.oauth.request(oidcClientEndpoints.getOIDCRequest());
            this.oauth.responseType((String) null);
            this.oauth.redirectUri((String) null);
            this.oauth.scope((String) null);
            OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
            Assert.assertEquals(400L, doPushedAuthorizationRequest.getStatusCode());
            Assert.assertEquals("invalid_request_object", doPushedAuthorizationRequest.getError());
            restoreParRealmSettings();
        } catch (Throwable th) {
            restoreParRealmSettings();
            throw th;
        }
    }

    @Test
    public void testSuccessfulUsingRequestParameter() throws Exception {
        try {
            setParRealmSettings(45);
            String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
                oIDCClientRepresentation.setRequirePushedAuthorizationRequests(Boolean.TRUE);
                oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
            });
            this.oauth.clientId(createClientDynamically);
            OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
            String clientSecret = clientDynamically.getClientSecret();
            Assert.assertEquals(Boolean.TRUE, clientDynamically.getRequirePushedAuthorizationRequests());
            Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
            Assert.assertEquals("client_secret_basic", clientDynamically.getTokenEndpointAuthMethod());
            TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject authorizationEndpointRequestObject = new TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject();
            authorizationEndpointRequestObject.id(KeycloakModelUtils.generateId());
            authorizationEndpointRequestObject.iat(Long.valueOf(Time.currentTime()));
            Long l = 300L;
            authorizationEndpointRequestObject.exp(Long.valueOf(authorizationEndpointRequestObject.getIat().longValue() + l.longValue()));
            authorizationEndpointRequestObject.nbf(authorizationEndpointRequestObject.getIat());
            authorizationEndpointRequestObject.setClientId(this.oauth.getClientId());
            authorizationEndpointRequestObject.setResponseType("code");
            authorizationEndpointRequestObject.setRedirectUriParam(CLIENT_REDIRECT_URI);
            authorizationEndpointRequestObject.setScope("openid");
            authorizationEndpointRequestObject.setNonce(KeycloakModelUtils.generateId());
            String encode = Base64Url.encode(JsonSerialization.writeValueAsBytes(authorizationEndpointRequestObject));
            TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
            ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm(this.oauth.getRealm()), this.oauth.getClientId());
            ClientRepresentation representation = findClientByClientId.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setUseJwksUrl(true);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setJwksUrl(TestApplicationResourceUrls.clientJwksUri());
            findClientByClientId.update(representation);
            oidcClientEndpoints.generateKeys("RS256");
            oidcClientEndpoints.registerOIDCRequest(encode, "RS256");
            this.oauth.request(oidcClientEndpoints.getOIDCRequest());
            this.oauth.responseType((String) null);
            this.oauth.redirectUri((String) null);
            this.oauth.scope((String) null);
            OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
            Assert.assertEquals(201L, doPushedAuthorizationRequest.getStatusCode());
            String requestUri = doPushedAuthorizationRequest.getRequestUri();
            Assert.assertEquals(45, doPushedAuthorizationRequest.getExpiresIn());
            this.oauth.redirectUri((String) null);
            this.oauth.scope((String) null);
            this.oauth.responseType((String) null);
            this.oauth.request((String) null);
            this.oauth.requestUri(requestUri);
            OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin("test-user@localhost", "password");
            this.oauth.redirectUri(CLIENT_REDIRECT_URI);
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(doLogin.getCode(), clientSecret);
            Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
            this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
            Assert.assertEquals(authorizationEndpointRequestObject.getNonce(), this.oauth.verifyIDToken(doAccessTokenRequest.getIdToken()).getNonce());
            restoreParRealmSettings();
        } catch (Throwable th) {
            restoreParRealmSettings();
            throw th;
        }
    }

    @Test
    public void testRequestParameterPrecedenceOverOtherParameters() throws Exception {
        try {
            setParRealmSettings(45);
            String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
                oIDCClientRepresentation.setRequirePushedAuthorizationRequests(Boolean.TRUE);
                oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
            });
            this.oauth.clientId(createClientDynamically);
            OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
            String clientSecret = clientDynamically.getClientSecret();
            Assert.assertEquals(Boolean.TRUE, clientDynamically.getRequirePushedAuthorizationRequests());
            Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
            Assert.assertEquals("client_secret_basic", clientDynamically.getTokenEndpointAuthMethod());
            TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject authorizationEndpointRequestObject = new TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject();
            authorizationEndpointRequestObject.id(KeycloakModelUtils.generateId());
            authorizationEndpointRequestObject.iat(Long.valueOf(Time.currentTime()));
            Long l = 300L;
            authorizationEndpointRequestObject.exp(Long.valueOf(authorizationEndpointRequestObject.getIat().longValue() + l.longValue()));
            authorizationEndpointRequestObject.nbf(authorizationEndpointRequestObject.getIat());
            authorizationEndpointRequestObject.setClientId(this.oauth.getClientId());
            authorizationEndpointRequestObject.setResponseType("code");
            authorizationEndpointRequestObject.setRedirectUriParam(CLIENT_REDIRECT_URI);
            authorizationEndpointRequestObject.setScope("openid");
            authorizationEndpointRequestObject.setNonce(KeycloakModelUtils.generateId());
            authorizationEndpointRequestObject.setState(this.oauth.stateParamRandom().getState());
            String encode = Base64Url.encode(JsonSerialization.writeValueAsBytes(authorizationEndpointRequestObject));
            TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
            ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm(this.oauth.getRealm()), this.oauth.getClientId());
            ClientRepresentation representation = findClientByClientId.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setUseJwksUrl(true);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setJwksUrl(TestApplicationResourceUrls.clientJwksUri());
            findClientByClientId.update(representation);
            oidcClientEndpoints.generateKeys("RS256");
            oidcClientEndpoints.registerOIDCRequest(encode, "RS256");
            this.oauth.request(oidcClientEndpoints.getOIDCRequest());
            this.oauth.responseType("code id_token");
            this.oauth.redirectUri("http://invalid");
            this.oauth.scope((String) null);
            this.oauth.nonce("12345");
            OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
            Assert.assertEquals(201L, doPushedAuthorizationRequest.getStatusCode());
            String requestUri = doPushedAuthorizationRequest.getRequestUri();
            Assert.assertEquals(45, doPushedAuthorizationRequest.getExpiresIn());
            this.oauth.scope("invalid");
            this.oauth.redirectUri("http://invalid");
            this.oauth.responseType("invalid");
            this.oauth.redirectUri((String) null);
            this.oauth.nonce("12345");
            this.oauth.request((String) null);
            this.oauth.requestUri(requestUri);
            String state = this.oauth.stateParamRandom().getState();
            this.oauth.stateParamHardcoded(state);
            OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin("test-user@localhost", "password");
            Assert.assertEquals(authorizationEndpointRequestObject.getState(), doLogin.getState());
            Assert.assertNotEquals(authorizationEndpointRequestObject.getState(), state);
            this.oauth.redirectUri(CLIENT_REDIRECT_URI);
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(doLogin.getCode(), clientSecret);
            Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
            this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
            Assert.assertEquals(authorizationEndpointRequestObject.getNonce(), this.oauth.verifyIDToken(doAccessTokenRequest.getIdToken()).getNonce());
            restoreParRealmSettings();
        } catch (Throwable th) {
            restoreParRealmSettings();
            throw th;
        }
    }

    @Test
    public void testIgnoreParameterIfNotSetinRequestObject() throws Exception {
        try {
            setParRealmSettings(45);
            String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
                oIDCClientRepresentation.setRequirePushedAuthorizationRequests(Boolean.TRUE);
                oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
            });
            this.oauth.clientId(createClientDynamically);
            OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
            String clientSecret = clientDynamically.getClientSecret();
            Assert.assertEquals(Boolean.TRUE, clientDynamically.getRequirePushedAuthorizationRequests());
            Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
            Assert.assertEquals("client_secret_basic", clientDynamically.getTokenEndpointAuthMethod());
            TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject authorizationEndpointRequestObject = new TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject();
            authorizationEndpointRequestObject.id(KeycloakModelUtils.generateId());
            authorizationEndpointRequestObject.iat(Long.valueOf(Time.currentTime()));
            Long l = 300L;
            authorizationEndpointRequestObject.exp(Long.valueOf(authorizationEndpointRequestObject.getIat().longValue() + l.longValue()));
            authorizationEndpointRequestObject.nbf(authorizationEndpointRequestObject.getIat());
            authorizationEndpointRequestObject.setClientId(this.oauth.getClientId());
            authorizationEndpointRequestObject.setResponseType("code");
            authorizationEndpointRequestObject.setRedirectUriParam(CLIENT_REDIRECT_URI);
            authorizationEndpointRequestObject.setScope("openid");
            authorizationEndpointRequestObject.setNonce(KeycloakModelUtils.generateId());
            String encode = Base64Url.encode(JsonSerialization.writeValueAsBytes(authorizationEndpointRequestObject));
            TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
            ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm(this.oauth.getRealm()), this.oauth.getClientId());
            ClientRepresentation representation = findClientByClientId.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setUseJwksUrl(true);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setJwksUrl(TestApplicationResourceUrls.clientJwksUri());
            findClientByClientId.update(representation);
            oidcClientEndpoints.generateKeys("RS256");
            oidcClientEndpoints.registerOIDCRequest(encode, "RS256");
            this.oauth.request(oidcClientEndpoints.getOIDCRequest());
            this.oauth.responseType("code id_token");
            this.oauth.redirectUri("http://invalid");
            this.oauth.scope((String) null);
            this.oauth.nonce("12345");
            OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
            Assert.assertEquals(201L, doPushedAuthorizationRequest.getStatusCode());
            String requestUri = doPushedAuthorizationRequest.getRequestUri();
            Assert.assertEquals(45, doPushedAuthorizationRequest.getExpiresIn());
            this.oauth.scope("invalid");
            this.oauth.redirectUri("http://invalid");
            this.oauth.responseType("invalid");
            this.oauth.redirectUri((String) null);
            this.oauth.nonce("12345");
            this.oauth.request((String) null);
            this.oauth.requestUri(requestUri);
            String state = this.oauth.stateParamRandom().getState();
            this.oauth.stateParamHardcoded(state);
            OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin("test-user@localhost", "password");
            Assert.assertNull(doLogin.getState());
            Assert.assertNotEquals(authorizationEndpointRequestObject.getState(), state);
            this.oauth.redirectUri(CLIENT_REDIRECT_URI);
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(doLogin.getCode(), clientSecret);
            Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
            this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
            Assert.assertEquals(authorizationEndpointRequestObject.getNonce(), this.oauth.verifyIDToken(doAccessTokenRequest.getIdToken()).getNonce());
            restoreParRealmSettings();
        } catch (Throwable th) {
            restoreParRealmSettings();
            throw th;
        }
    }

    @Test
    public void testSuccessfulMultipleParBySameClient() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
            oIDCClientRepresentation.setRequirePushedAuthorizationRequests(Boolean.FALSE);
            oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        String clientSecret = clientDynamically.getClientSecret();
        Assert.assertEquals(Boolean.FALSE, clientDynamically.getRequirePushedAuthorizationRequests());
        Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
        Assert.assertEquals("client_secret_basic", clientDynamically.getTokenEndpointAuthMethod());
        this.oauth.clientId(createClientDynamically);
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
        Assert.assertEquals(201L, doPushedAuthorizationRequest.getStatusCode());
        String requestUri = doPushedAuthorizationRequest.getRequestUri();
        this.oauth.clientId(createClientDynamically);
        this.oauth.scope("microprofile-jwt profile");
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        OAuthClient.ParResponse doPushedAuthorizationRequest2 = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
        Assert.assertEquals(201L, doPushedAuthorizationRequest2.getStatusCode());
        String requestUri2 = doPushedAuthorizationRequest2.getRequestUri();
        this.oauth.redirectUri((String) null);
        this.oauth.scope((String) null);
        this.oauth.responseType((String) null);
        this.oauth.requestUri(requestUri2);
        String state = this.oauth.stateParamRandom().getState();
        this.oauth.stateParamHardcoded(state);
        OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin(TEST_USER2_NAME, "password");
        Assert.assertEquals(state, doLogin.getState());
        String code = doLogin.getCode();
        String sessionState = doLogin.getSessionState();
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(code, clientSecret);
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), TEST_USER2_NAME).getId(), verifyToken.getSubject());
        Assert.assertEquals(sessionState, verifyToken.getSessionState());
        Assert.assertNotEquals(TEST_USER2_NAME, verifyToken.getSubject());
        Assert.assertEquals(createClientDynamically, verifyToken.getIssuedFor());
        Assert.assertTrue(verifyToken.getScope().contains("openid"));
        Assert.assertTrue(verifyToken.getScope().contains("microprofile-jwt"));
        Assert.assertTrue(verifyToken.getScope().contains("profile"));
        this.oauth.doLogout(doAccessTokenRequest.getRefreshToken(), clientSecret);
        this.oauth.redirectUri((String) null);
        this.oauth.scope((String) null);
        this.oauth.responseType((String) null);
        this.oauth.requestUri(requestUri);
        String state2 = this.oauth.stateParamRandom().getState();
        this.oauth.stateParamHardcoded(state2);
        OAuthClient.AuthorizationEndpointResponse doLogin2 = this.oauth.doLogin("test-user@localhost", "password");
        Assert.assertEquals(state2, doLogin2.getState());
        String code2 = doLogin2.getCode();
        String sessionState2 = doLogin2.getSessionState();
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        OAuthClient.AccessTokenResponse doAccessTokenRequest2 = this.oauth.doAccessTokenRequest(code2, clientSecret);
        Assert.assertEquals(200L, doAccessTokenRequest2.getStatusCode());
        AccessToken verifyToken2 = this.oauth.verifyToken(doAccessTokenRequest2.getAccessToken());
        Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), "test-user@localhost").getId(), verifyToken2.getSubject());
        Assert.assertEquals(sessionState2, verifyToken2.getSessionState());
        Assert.assertNotEquals("test-user@localhost", verifyToken2.getSubject());
        Assert.assertEquals(createClientDynamically, verifyToken2.getIssuedFor());
        Assert.assertFalse(verifyToken2.getScope().contains("microprofile-jwt"));
        Assert.assertTrue(verifyToken2.getScope().contains("openid"));
    }

    @Test
    public void testSuccessfulMultipleParByMultipleClients() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
            oIDCClientRepresentation.setRequirePushedAuthorizationRequests(Boolean.FALSE);
            oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        String clientSecret = clientDynamically.getClientSecret();
        Assert.assertEquals(Boolean.FALSE, clientDynamically.getRequirePushedAuthorizationRequests());
        Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
        Assert.assertEquals("client_secret_basic", clientDynamically.getTokenEndpointAuthMethod());
        authManageClients();
        String createClientDynamically2 = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation2 -> {
            oIDCClientRepresentation2.setRequirePushedAuthorizationRequests(Boolean.TRUE);
            oIDCClientRepresentation2.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
        });
        OIDCClientRepresentation clientDynamically2 = getClientDynamically(createClientDynamically2);
        String clientSecret2 = clientDynamically2.getClientSecret();
        Assert.assertEquals(Boolean.TRUE, clientDynamically2.getRequirePushedAuthorizationRequests());
        Assert.assertTrue(clientDynamically2.getRedirectUris().contains(CLIENT_REDIRECT_URI));
        Assert.assertEquals("client_secret_basic", clientDynamically2.getTokenEndpointAuthMethod());
        this.oauth.clientId(createClientDynamically);
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
        Assert.assertEquals(201L, doPushedAuthorizationRequest.getStatusCode());
        String requestUri = doPushedAuthorizationRequest.getRequestUri();
        this.oauth.clientId(createClientDynamically2);
        this.oauth.scope("microprofile-jwt profile");
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        OAuthClient.ParResponse doPushedAuthorizationRequest2 = this.oauth.doPushedAuthorizationRequest(createClientDynamically2, clientSecret2);
        Assert.assertEquals(201L, doPushedAuthorizationRequest2.getStatusCode());
        String requestUri2 = doPushedAuthorizationRequest2.getRequestUri();
        this.oauth.redirectUri((String) null);
        this.oauth.scope((String) null);
        this.oauth.responseType((String) null);
        this.oauth.requestUri(requestUri2);
        String state = this.oauth.stateParamRandom().getState();
        this.oauth.stateParamHardcoded(state);
        OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin(TEST_USER2_NAME, "password");
        Assert.assertEquals(state, doLogin.getState());
        String code = doLogin.getCode();
        String sessionState = doLogin.getSessionState();
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(code, clientSecret2);
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), TEST_USER2_NAME).getId(), verifyToken.getSubject());
        Assert.assertEquals(sessionState, verifyToken.getSessionState());
        Assert.assertNotEquals(TEST_USER2_NAME, verifyToken.getSubject());
        Assert.assertEquals(createClientDynamically2, verifyToken.getIssuedFor());
        Assert.assertTrue(verifyToken.getScope().contains("openid"));
        Assert.assertTrue(verifyToken.getScope().contains("microprofile-jwt"));
        Assert.assertTrue(verifyToken.getScope().contains("profile"));
        this.oauth.doLogout(doAccessTokenRequest.getRefreshToken(), clientSecret2);
        this.oauth.clientId(createClientDynamically);
        this.oauth.redirectUri((String) null);
        this.oauth.scope((String) null);
        this.oauth.responseType((String) null);
        this.oauth.requestUri(requestUri);
        String state2 = this.oauth.stateParamRandom().getState();
        this.oauth.stateParamHardcoded(state2);
        OAuthClient.AuthorizationEndpointResponse doLogin2 = this.oauth.doLogin("test-user@localhost", "password");
        Assert.assertEquals(state2, doLogin2.getState());
        String code2 = doLogin2.getCode();
        String sessionState2 = doLogin2.getSessionState();
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        OAuthClient.AccessTokenResponse doAccessTokenRequest2 = this.oauth.doAccessTokenRequest(code2, clientSecret);
        Assert.assertEquals(200L, doAccessTokenRequest2.getStatusCode());
        AccessToken verifyToken2 = this.oauth.verifyToken(doAccessTokenRequest2.getAccessToken());
        Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), "test-user@localhost").getId(), verifyToken2.getSubject());
        Assert.assertEquals(sessionState2, verifyToken2.getSessionState());
        Assert.assertNotEquals("test-user@localhost", verifyToken2.getSubject());
        Assert.assertEquals(createClientDynamically, verifyToken2.getIssuedFor());
        Assert.assertFalse(verifyToken2.getScope().contains("microprofile-jwt"));
        Assert.assertTrue(verifyToken2.getScope().contains("openid"));
    }

    @Test
    public void testFailureNotIssuedParUsed() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
            oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        String clientSecret = clientDynamically.getClientSecret();
        Assert.assertEquals(Boolean.FALSE, clientDynamically.getRequirePushedAuthorizationRequests());
        Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
        Assert.assertEquals("client_secret_basic", clientDynamically.getTokenEndpointAuthMethod());
        this.oauth.clientId(createClientDynamically);
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        Assert.assertEquals(201L, this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret).getStatusCode());
        this.oauth.redirectUri((String) null);
        this.oauth.scope((String) null);
        this.oauth.responseType((String) null);
        this.oauth.requestUri(IMAGINARY_REQUEST_URI);
        this.oauth.stateParamHardcoded(this.oauth.stateParamRandom().getState());
        this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).build(new Object[0]).toURL());
        Assert.assertFalse(new OAuthClient.AuthorizationEndpointResponse(this.oauth).isRedirected());
    }

    @Test
    public void testFailureParUsedTwice() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
            oIDCClientRepresentation.setRequirePushedAuthorizationRequests(Boolean.TRUE);
            oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        String clientSecret = clientDynamically.getClientSecret();
        Assert.assertEquals(Boolean.TRUE, clientDynamically.getRequirePushedAuthorizationRequests());
        Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
        Assert.assertEquals("client_secret_basic", clientDynamically.getTokenEndpointAuthMethod());
        this.oauth.clientId(createClientDynamically);
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
        Assert.assertEquals(201L, doPushedAuthorizationRequest.getStatusCode());
        String requestUri = doPushedAuthorizationRequest.getRequestUri();
        this.oauth.redirectUri((String) null);
        this.oauth.scope((String) null);
        this.oauth.responseType((String) null);
        this.oauth.requestUri(requestUri);
        String state = this.oauth.stateParamRandom().getState();
        this.oauth.stateParamHardcoded(state);
        OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin("test-user@localhost", "password");
        Assert.assertEquals(state, doLogin.getState());
        String code = doLogin.getCode();
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        Assert.assertEquals(200L, this.oauth.doAccessTokenRequest(code, clientSecret).getStatusCode());
        this.oauth.stateParamHardcoded(this.oauth.stateParamRandom().getState());
        this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).build(new Object[0]).toURL());
        Assert.assertFalse(new OAuthClient.AuthorizationEndpointResponse(this.oauth).isRedirected());
    }

    @Test
    public void testFailureParUsedByOtherClient() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
            oIDCClientRepresentation.setRequirePushedAuthorizationRequests(Boolean.FALSE);
            oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        String clientSecret = clientDynamically.getClientSecret();
        Assert.assertEquals(Boolean.FALSE, clientDynamically.getRequirePushedAuthorizationRequests());
        Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
        Assert.assertEquals("client_secret_basic", clientDynamically.getTokenEndpointAuthMethod());
        authManageClients();
        String createClientDynamically2 = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation2 -> {
            oIDCClientRepresentation2.setRequirePushedAuthorizationRequests(Boolean.TRUE);
            oIDCClientRepresentation2.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
        });
        OIDCClientRepresentation clientDynamically2 = getClientDynamically(createClientDynamically2);
        Assert.assertEquals(Boolean.TRUE, clientDynamically2.getRequirePushedAuthorizationRequests());
        Assert.assertTrue(clientDynamically2.getRedirectUris().contains(CLIENT_REDIRECT_URI));
        Assert.assertEquals("client_secret_basic", clientDynamically2.getTokenEndpointAuthMethod());
        this.oauth.clientId(createClientDynamically);
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
        Assert.assertEquals(201L, doPushedAuthorizationRequest.getStatusCode());
        String requestUri = doPushedAuthorizationRequest.getRequestUri();
        this.oauth.clientId(createClientDynamically2);
        this.oauth.redirectUri((String) null);
        this.oauth.scope((String) null);
        this.oauth.responseType((String) null);
        this.oauth.requestUri(requestUri);
        this.oauth.stateParamHardcoded(this.oauth.stateParamRandom().getState());
        this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).build(new Object[0]).toURL());
        Assert.assertFalse(new OAuthClient.AuthorizationEndpointResponse(this.oauth).isRedirected());
    }

    @Test
    public void testFailureNotParByParRequiredCilent() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
            oIDCClientRepresentation.setRequirePushedAuthorizationRequests(Boolean.TRUE);
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        String clientSecret = clientDynamically.getClientSecret();
        Assert.assertEquals(Boolean.TRUE, clientDynamically.getRequirePushedAuthorizationRequests());
        this.oauth.clientId(createClientDynamically);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Pushed Authorization Request is only allowed.", this.oauth.getCurrentQuery().get("error_description"));
        updateClientDynamically(createClientDynamically, oIDCClientRepresentation2 -> {
            oIDCClientRepresentation2.setRequirePushedAuthorizationRequests(Boolean.FALSE);
        });
        Assert.assertEquals(200L, this.oauth.doAccessTokenRequest(this.oauth.doLogin("test-user@localhost", "password").getCode(), clientSecret).getStatusCode());
    }

    @Test
    public void testFailureParExpired() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
            oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        String clientSecret = clientDynamically.getClientSecret();
        Assert.assertEquals(Boolean.FALSE, clientDynamically.getRequirePushedAuthorizationRequests());
        Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
        Assert.assertEquals("client_secret_basic", clientDynamically.getTokenEndpointAuthMethod());
        this.oauth.clientId(createClientDynamically);
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
        Assert.assertEquals(201L, doPushedAuthorizationRequest.getStatusCode());
        String requestUri = doPushedAuthorizationRequest.getRequestUri();
        setTimeOffset(doPushedAuthorizationRequest.getExpiresIn() + 5);
        this.oauth.redirectUri((String) null);
        this.oauth.scope((String) null);
        this.oauth.responseType((String) null);
        this.oauth.requestUri(requestUri);
        this.oauth.stateParamHardcoded(this.oauth.stateParamRandom().getState());
        this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).build(new Object[0]).toURL());
        Assert.assertFalse(new OAuthClient.AuthorizationEndpointResponse(this.oauth).isRedirected());
    }

    @Test
    public void testFailureClientAuthnFailed() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
            oIDCClientRepresentation.setRequirePushedAuthorizationRequests(Boolean.TRUE);
            oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        String clientSecret = clientDynamically.getClientSecret();
        Assert.assertEquals(Boolean.TRUE, clientDynamically.getRequirePushedAuthorizationRequests());
        Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
        Assert.assertEquals("client_secret_basic", clientDynamically.getTokenEndpointAuthMethod());
        this.oauth.clientId(createClientDynamically);
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret + "abc");
        Assert.assertEquals(401L, doPushedAuthorizationRequest.getStatusCode());
        Assert.assertEquals("invalid_request", doPushedAuthorizationRequest.getError());
        Assert.assertEquals("Authentication failed.", doPushedAuthorizationRequest.getErrorDescription());
    }

    @Test
    public void testFailureParIncludesRequestUri() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
            oIDCClientRepresentation.setRequirePushedAuthorizationRequests(Boolean.FALSE);
            oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        String clientSecret = clientDynamically.getClientSecret();
        Assert.assertEquals(Boolean.FALSE, clientDynamically.getRequirePushedAuthorizationRequests());
        Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
        this.oauth.clientId(createClientDynamically);
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        this.oauth.requestUri(IMAGINARY_REQUEST_URI);
        OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
        Assert.assertEquals(400L, doPushedAuthorizationRequest.getStatusCode());
        Assert.assertEquals("invalid_request", doPushedAuthorizationRequest.getError());
        Assert.assertEquals("It is not allowed to include request_uri to PAR.", doPushedAuthorizationRequest.getErrorDescription());
    }

    @Test
    public void testFailureInvalidPar() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
            oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        String clientSecret = clientDynamically.getClientSecret();
        Assert.assertEquals(Boolean.FALSE, clientDynamically.getRequirePushedAuthorizationRequests());
        Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
        updateClientByAdmin(createClientDynamically, clientRepresentation -> {
            OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).setRequestObjectRequired("request only");
        });
        this.oauth.clientId(createClientDynamically);
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
        Assert.assertEquals(400L, doPushedAuthorizationRequest.getStatusCode());
        Assert.assertEquals("invalid_request_object", doPushedAuthorizationRequest.getError());
    }

    @Test
    public void testFailureParIncludesInvalidRedirectUri() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
            oIDCClientRepresentation.setRequirePushedAuthorizationRequests(Boolean.TRUE);
            oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        String clientSecret = clientDynamically.getClientSecret();
        Assert.assertEquals(Boolean.TRUE, clientDynamically.getRequirePushedAuthorizationRequests());
        Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
        this.oauth.clientId(createClientDynamically);
        this.oauth.redirectUri(INVALID_CORS_URL);
        OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
        Assert.assertEquals(400L, doPushedAuthorizationRequest.getStatusCode());
        Assert.assertEquals("invalid_request", doPushedAuthorizationRequest.getError());
        Assert.assertEquals("Invalid parameter: redirect_uri", doPushedAuthorizationRequest.getErrorDescription());
    }

    @Test
    public void testFailureParIncludesInvalidResponseType() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
            oIDCClientRepresentation.setRequirePushedAuthorizationRequests(Boolean.FALSE);
            oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        String clientSecret = clientDynamically.getClientSecret();
        Assert.assertEquals(Boolean.FALSE, clientDynamically.getRequirePushedAuthorizationRequests());
        Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
        this.oauth.clientId(createClientDynamically);
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        this.oauth.responseType((String) null);
        OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
        Assert.assertEquals(400L, doPushedAuthorizationRequest.getStatusCode());
        Assert.assertEquals("invalid_request", doPushedAuthorizationRequest.getError());
        Assert.assertEquals("Missing parameter: response_type", doPushedAuthorizationRequest.getErrorDescription());
    }

    @Test
    public void testFailureParIncludesInvalidScope() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
            oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        String clientSecret = clientDynamically.getClientSecret();
        Assert.assertEquals(Boolean.FALSE, clientDynamically.getRequirePushedAuthorizationRequests());
        Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
        this.oauth.clientId(createClientDynamically);
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        this.oauth.scope("not_registered_scope");
        OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
        Assert.assertEquals(400L, doPushedAuthorizationRequest.getStatusCode());
        Assert.assertEquals("invalid_request", doPushedAuthorizationRequest.getError());
        Assert.assertEquals("Invalid scopes: openid not_registered_scope", doPushedAuthorizationRequest.getErrorDescription());
    }

    @Test
    public void testFailureParInvalidPkceSetting() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
            oIDCClientRepresentation.setRequirePushedAuthorizationRequests(Boolean.TRUE);
            oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        String clientSecret = clientDynamically.getClientSecret();
        Assert.assertEquals(Boolean.TRUE, clientDynamically.getRequirePushedAuthorizationRequests());
        Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
        updateClientByAdmin(createClientDynamically, clientRepresentation -> {
            OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).setPkceCodeChallengeMethod("S256");
        });
        this.oauth.clientId(createClientDynamically);
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
        Assert.assertEquals(400L, doPushedAuthorizationRequest.getStatusCode());
        Assert.assertEquals("invalid_request", doPushedAuthorizationRequest.getError());
        Assert.assertEquals("Missing parameter: code_challenge_method", doPushedAuthorizationRequest.getErrorDescription());
    }

    @Test
    public void testParCorsRequestWithValidUrl() throws Exception {
        try {
            String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
                oIDCClientRepresentation.setRequirePushedAuthorizationRequests(Boolean.FALSE);
                oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI, "http://localtest.me:8180/realms/master/app")));
            });
            OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
            String clientSecret = clientDynamically.getClientSecret();
            Assert.assertEquals(Boolean.FALSE, clientDynamically.getRequirePushedAuthorizationRequests());
            Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
            Assert.assertEquals("client_secret_basic", clientDynamically.getTokenEndpointAuthMethod());
            updateClientByAdmin(createClientDynamically, clientRepresentation -> {
                clientRepresentation.setOrigin(VALID_CORS_URL);
            });
            this.oauth.clientId(createClientDynamically);
            this.oauth.redirectUri("http://localtest.me:8180/realms/master/app");
            this.oauth.origin(VALID_CORS_URL);
            OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret, closeableHttpResponse -> {
                assertCors(closeableHttpResponse);
            });
            Assert.assertEquals(201L, doPushedAuthorizationRequest.getStatusCode());
            doNormalAuthzProcess(doPushedAuthorizationRequest.getRequestUri(), "http://localtest.me:8180/realms/master/app", createClientDynamically, clientSecret);
            this.oauth.origin((String) null);
        } catch (Throwable th) {
            this.oauth.origin((String) null);
            throw th;
        }
    }

    @Test
    public void testParCorsRequestWithInvalidUrlShouldFail() throws Exception {
        try {
            String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
                oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI, "http://localtest.me:8180/realms/master/app")));
            });
            OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
            String clientSecret = clientDynamically.getClientSecret();
            Assert.assertEquals(Boolean.FALSE, clientDynamically.getRequirePushedAuthorizationRequests());
            Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
            Assert.assertEquals("client_secret_basic", clientDynamically.getTokenEndpointAuthMethod());
            updateClientByAdmin(createClientDynamically, clientRepresentation -> {
                clientRepresentation.setOrigin(VALID_CORS_URL);
            });
            this.oauth.clientId(createClientDynamically);
            this.oauth.redirectUri("http://localtest.me:8180/realms/master/app");
            this.oauth.origin(INVALID_CORS_URL);
            OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret, closeableHttpResponse -> {
                assertNotCors(closeableHttpResponse);
            });
            Assert.assertEquals(201L, doPushedAuthorizationRequest.getStatusCode());
            doNormalAuthzProcess(doPushedAuthorizationRequest.getRequestUri(), "http://localtest.me:8180/realms/master/app", createClientDynamically, clientSecret);
            this.oauth.origin((String) null);
        } catch (Throwable th) {
            this.oauth.origin((String) null);
            throw th;
        }
    }

    @Test
    public void testExtendedClientPolicyIntefacesForPar() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
            oIDCClientRepresentation.setRequirePushedAuthorizationRequests(Boolean.TRUE);
            oIDCClientRepresentation.setRedirectUris(new ArrayList(Arrays.asList(CLIENT_REDIRECT_URI)));
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        String clientSecret = clientDynamically.getClientSecret();
        Assert.assertEquals(Boolean.TRUE, clientDynamically.getRequirePushedAuthorizationRequests());
        Assert.assertTrue(clientDynamically.getRedirectUris().contains(CLIENT_REDIRECT_URI));
        Assert.assertEquals("client_secret_basic", clientDynamically.getTokenEndpointAuthMethod());
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Den Forste Profilen").addExecutor("test-raise-exception", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Den Forste Politikken", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role-alpha"))).addProfile("MyProfile").toRepresentation()).toString());
        ApiUtil.findClientByClientId(this.adminClient.realm("test"), createClientDynamically).roles().create(RoleBuilder.create().name("sample-client-role-alpha").build());
        this.oauth.clientId(createClientDynamically);
        this.oauth.redirectUri(CLIENT_REDIRECT_URI);
        OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(createClientDynamically, clientSecret);
        Assert.assertEquals(400L, doPushedAuthorizationRequest.getStatusCode());
        Assert.assertEquals(ClientPolicyEvent.PUSHED_AUTHORIZATION_REQUEST.toString(), doPushedAuthorizationRequest.getError());
        Assert.assertEquals("Exception thrown intentionally", doPushedAuthorizationRequest.getErrorDescription());
    }

    private void doNormalAuthzProcess(String str, String str2, String str3, String str4) {
        this.oauth.redirectUri((String) null);
        this.oauth.scope((String) null);
        this.oauth.responseType((String) null);
        this.oauth.requestUri(str);
        String state = this.oauth.stateParamRandom().getState();
        this.oauth.stateParamHardcoded(state);
        OAuthClient.AuthorizationEndpointResponse doLogin = this.oauth.doLogin("test-user@localhost", "password");
        Assert.assertEquals(state, doLogin.getState());
        String code = doLogin.getCode();
        String sessionState = doLogin.getSessionState();
        this.oauth.redirectUri(str2);
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(code, str4);
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), "test-user@localhost").getId(), verifyToken.getSubject());
        Assert.assertEquals(sessionState, verifyToken.getSessionState());
        Assert.assertNotEquals("test-user@localhost", verifyToken.getSubject());
        Assert.assertEquals(str3, verifyToken.getIssuedFor());
        String refreshToken = doAccessTokenRequest.getRefreshToken();
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(refreshToken);
        Assert.assertEquals(sessionState, parseRefreshToken.getSessionState());
        Assert.assertEquals(str3, parseRefreshToken.getIssuedFor());
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(refreshToken, str4);
        Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
        AccessToken verifyToken2 = this.oauth.verifyToken(doRefreshTokenRequest.getAccessToken());
        RefreshToken parseRefreshToken2 = this.oauth.parseRefreshToken(doRefreshTokenRequest.getRefreshToken());
        Assert.assertEquals(sessionState, verifyToken2.getSessionState());
        Assert.assertEquals(sessionState, parseRefreshToken2.getSessionState());
        Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), "test-user@localhost").getId(), verifyToken2.getSubject());
        this.oauth.doLogout(doRefreshTokenRequest.getRefreshToken(), str4);
        Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), str4).getStatusCode());
    }

    private void setParRealmSettings(int i) {
        RealmRepresentation representation = this.adminClient.realm("test").toRepresentation();
        Map map = (Map) Optional.ofNullable(representation.getAttributes()).orElse(new HashMap());
        map.put("parRequestUriLifespan", String.valueOf(i));
        representation.setAttributes(map);
        this.adminClient.realm("test").update(representation);
    }

    private void restoreParRealmSettings() {
        setParRealmSettings(DEFAULT_REQUEST_URI_LIFESPAN);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void assertCors(CloseableHttpResponse closeableHttpResponse) {
        Assert.assertEquals("true", closeableHttpResponse.getHeaders("Access-Control-Allow-Credentials")[0].getValue());
        Assert.assertEquals(VALID_CORS_URL, closeableHttpResponse.getHeaders("Access-Control-Allow-Origin")[0].getValue());
        Assert.assertEquals("Access-Control-Allow-Methods", closeableHttpResponse.getHeaders("Access-Control-Expose-Headers")[0].getValue());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void assertNotCors(CloseableHttpResponse closeableHttpResponse) {
        Assert.assertEquals(0L, closeableHttpResponse.getHeaders("Access-Control-Allow-Credentials").length);
        Assert.assertEquals(0L, closeableHttpResponse.getHeaders("Access-Control-Allow-Origin").length);
        Assert.assertEquals(0L, closeableHttpResponse.getHeaders("Access-Control-Expose-Headers").length);
    }
}
