package org.keycloak.broker.oidc;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.util.Arrays;
import java.util.UUID;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.ws.rs.GET;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.keycloak.broker.oidc.OAuth2IdentityProviderConfig;
import org.keycloak.broker.provider.AbstractIdentityProvider;
import org.keycloak.broker.provider.AuthenticationRequest;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.ExchangeExternalToken;
import org.keycloak.broker.provider.ExchangeTokenToIdentityProviderToken;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.IdentityProvider;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.common.ClientConnection;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.Cors;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.social.stackoverflow.StackoverflowIdentityProvider;

/* loaded from: input_file:org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.class */
public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityProviderConfig> extends AbstractIdentityProvider<C> implements ExchangeTokenToIdentityProviderToken, ExchangeExternalToken {
    public static final String OAUTH2_GRANT_TYPE_REFRESH_TOKEN = "refresh_token";
    public static final String OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code";
    public static final String FEDERATED_REFRESH_TOKEN = "FEDERATED_REFRESH_TOKEN";
    public static final String FEDERATED_TOKEN_EXPIRATION = "FEDERATED_TOKEN_EXPIRATION";
    public static final String ACCESS_DENIED = "access_denied";
    public static final String OAUTH2_PARAMETER_ACCESS_TOKEN = "access_token";
    public static final String OAUTH2_PARAMETER_SCOPE = "scope";
    public static final String OAUTH2_PARAMETER_STATE = "state";
    public static final String OAUTH2_PARAMETER_RESPONSE_TYPE = "response_type";
    public static final String OAUTH2_PARAMETER_REDIRECT_URI = "redirect_uri";
    public static final String OAUTH2_PARAMETER_CODE = "code";
    public static final String OAUTH2_PARAMETER_CLIENT_ID = "client_id";
    public static final String OAUTH2_PARAMETER_CLIENT_SECRET = "client_secret";
    public static final String OAUTH2_PARAMETER_GRANT_TYPE = "grant_type";
    protected static final Logger logger = Logger.getLogger(AbstractOAuth2IdentityProvider.class);
    protected static ObjectMapper mapper = new ObjectMapper();

    /* loaded from: input_file:org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider$Endpoint.class */
    protected class Endpoint {
        protected IdentityProvider.AuthenticationCallback callback;
        protected RealmModel realm;
        protected EventBuilder event;

        @Context
        protected KeycloakSession session;

        @Context
        protected ClientConnection clientConnection;

        @Context
        protected HttpHeaders headers;

        public Endpoint(IdentityProvider.AuthenticationCallback authenticationCallback, RealmModel realmModel, EventBuilder eventBuilder) {
            this.callback = authenticationCallback;
            this.realm = realmModel;
            this.event = eventBuilder;
        }

        @GET
        public Response authResponse(@QueryParam("state") String str, @QueryParam("code") String str2, @QueryParam("error") String str3) {
            if (str3 != null) {
                if (str3.equals(AbstractOAuth2IdentityProvider.ACCESS_DENIED)) {
                    AbstractOAuth2IdentityProvider.logger.error("access_denied for broker login " + AbstractOAuth2IdentityProvider.this.m106getConfig().getProviderId());
                    return this.callback.cancelled(str);
                }
                AbstractOAuth2IdentityProvider.logger.error(str3 + " for broker login " + AbstractOAuth2IdentityProvider.this.m106getConfig().getProviderId());
                return this.callback.error(str, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
            }
            if (str2 != null) {
                try {
                    String asString = generateTokenRequest(str2).asString();
                    BrokeredIdentityContext federatedIdentity = AbstractOAuth2IdentityProvider.this.getFederatedIdentity(asString);
                    if (AbstractOAuth2IdentityProvider.this.m106getConfig().isStoreToken() && federatedIdentity.getToken() == null) {
                        federatedIdentity.setToken(asString);
                    }
                    federatedIdentity.setIdpConfig(AbstractOAuth2IdentityProvider.this.m106getConfig());
                    federatedIdentity.setIdp(AbstractOAuth2IdentityProvider.this);
                    federatedIdentity.setCode(str);
                    return this.callback.authenticated(federatedIdentity);
                } catch (Exception e) {
                    AbstractOAuth2IdentityProvider.logger.error("Failed to make identity provider oauth callback", e);
                } catch (WebApplicationException e2) {
                    return e2.getResponse();
                }
            }
            this.event.event(EventType.LOGIN);
            this.event.error("identity_provider_login_failure");
            return ErrorPage.error(this.session, null, Response.Status.BAD_GATEWAY, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, new Object[0]);
        }

        public SimpleHttp generateTokenRequest(String str) {
            return SimpleHttp.doPost(AbstractOAuth2IdentityProvider.this.m106getConfig().getTokenUrl(), this.session).param("code", str).param("client_id", AbstractOAuth2IdentityProvider.this.m106getConfig().getClientId()).param(AbstractOAuth2IdentityProvider.OAUTH2_PARAMETER_CLIENT_SECRET, AbstractOAuth2IdentityProvider.this.m106getConfig().getClientSecret()).param("redirect_uri", this.session.getContext().getUri().getAbsolutePath().toString()).param("grant_type", AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE);
        }
    }

    public AbstractOAuth2IdentityProvider(KeycloakSession keycloakSession, C c) {
        super(keycloakSession, c);
        if (c.getDefaultScope() == null || c.getDefaultScope().isEmpty()) {
            c.setDefaultScope(getDefaultScopes());
        }
    }

    public Object callback(RealmModel realmModel, IdentityProvider.AuthenticationCallback authenticationCallback, EventBuilder eventBuilder) {
        return new Endpoint(authenticationCallback, realmModel, eventBuilder);
    }

    public Response performLogin(AuthenticationRequest authenticationRequest) {
        try {
            return Response.seeOther(createAuthorizationUrl(authenticationRequest).build(new Object[0])).build();
        } catch (Exception e) {
            throw new IdentityBrokerException("Could not create authentication request.", e);
        }
    }

    public Response retrieveToken(KeycloakSession keycloakSession, FederatedIdentityModel federatedIdentityModel) {
        return Response.ok(federatedIdentityModel.getToken()).build();
    }

    /* renamed from: getConfig, reason: merged with bridge method [inline-methods] */
    public C m106getConfig() {
        return (C) super.getConfig();
    }

    protected String extractTokenFromResponse(String str, String str2) {
        String textValue;
        if (str == null) {
            return null;
        }
        if (!str.startsWith("{")) {
            Matcher matcher = Pattern.compile(str2 + "=([^&]+)").matcher(str);
            if (matcher.find()) {
                return matcher.group(1);
            }
            return null;
        }
        try {
            JsonNode readTree = mapper.readTree(str);
            if (!readTree.has(str2) || (textValue = readTree.get(str2).textValue()) == null) {
                return null;
            }
            if (textValue.trim().isEmpty()) {
                return null;
            }
            return textValue;
        } catch (IOException e) {
            throw new IdentityBrokerException("Could not extract token [" + str2 + "] from response [" + str + "] due: " + e.getMessage(), e);
        }
    }

    public Response exchangeFromToken(UriInfo uriInfo, EventBuilder eventBuilder, ClientModel clientModel, UserSessionModel userSessionModel, UserModel userModel, MultivaluedMap<String, String> multivaluedMap) {
        Response hasExternalExchangeToken = hasExternalExchangeToken(eventBuilder, userSessionModel, multivaluedMap);
        if (hasExternalExchangeToken != null) {
            return hasExternalExchangeToken;
        }
        String str = (String) multivaluedMap.getFirst("requested_token_type");
        if (str != null && !str.equals("urn:ietf:params:oauth:token-type:access_token")) {
            eventBuilder.detail("reason", "requested_token_type unsupported");
            eventBuilder.error("invalid_request");
            return exchangeUnsupportedRequiredType();
        }
        if (m106getConfig().isStoreToken()) {
            return exchangeStoredToken(uriInfo, eventBuilder, clientModel, userSessionModel, userModel);
        }
        String note = userSessionModel.getNote("identity_provider");
        String note2 = note == null ? userSessionModel.getNote("EXTERNAL_IDENTITY_PROVIDER") : note;
        if (note2 != null && note2.equals(m106getConfig().getAlias())) {
            return exchangeSessionToken(uriInfo, eventBuilder, clientModel, userSessionModel, userModel);
        }
        eventBuilder.detail("reason", "requested_issuer has not linked");
        eventBuilder.error("invalid_request");
        return exchangeNotLinkedNoStore(uriInfo, clientModel, userSessionModel, userModel);
    }

    protected Response hasExternalExchangeToken(EventBuilder eventBuilder, UserSessionModel userSessionModel, MultivaluedMap<String, String> multivaluedMap) {
        String note;
        if (!m106getConfig().getAlias().equals(userSessionModel.getNote(OIDCIdentityProvider.EXCHANGE_PROVIDER))) {
            return null;
        }
        String str = (String) multivaluedMap.getFirst("requested_token_type");
        if (str == null || str.equals("urn:ietf:params:oauth:token-type:access_token")) {
            String note2 = userSessionModel.getNote("FEDERATED_ACCESS_TOKEN");
            if (note2 == null) {
                return null;
            }
            AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
            accessTokenResponse.setToken(note2);
            accessTokenResponse.setIdToken((String) null);
            accessTokenResponse.setRefreshToken((String) null);
            accessTokenResponse.setRefreshExpiresIn(0L);
            accessTokenResponse.setExpiresIn(0L);
            accessTokenResponse.getOtherClaims().clear();
            accessTokenResponse.getOtherClaims().put("issued_token_type", "urn:ietf:params:oauth:token-type:access_token");
            eventBuilder.success();
            return Response.ok(accessTokenResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
        }
        if (!"urn:ietf:params:oauth:token-type:id_token".equals(str) || (note = userSessionModel.getNote(OIDCIdentityProvider.FEDERATED_ID_TOKEN)) == null) {
            return null;
        }
        AccessTokenResponse accessTokenResponse2 = new AccessTokenResponse();
        accessTokenResponse2.setToken((String) null);
        accessTokenResponse2.setIdToken(note);
        accessTokenResponse2.setRefreshToken((String) null);
        accessTokenResponse2.setRefreshExpiresIn(0L);
        accessTokenResponse2.setExpiresIn(0L);
        accessTokenResponse2.getOtherClaims().clear();
        accessTokenResponse2.getOtherClaims().put("issued_token_type", "urn:ietf:params:oauth:token-type:id_token");
        eventBuilder.success();
        return Response.ok(accessTokenResponse2).type(MediaType.APPLICATION_JSON_TYPE).build();
    }

    protected Response exchangeStoredToken(UriInfo uriInfo, EventBuilder eventBuilder, ClientModel clientModel, UserSessionModel userSessionModel, UserModel userModel) {
        FederatedIdentityModel federatedIdentity = this.session.users().getFederatedIdentity(userModel, m106getConfig().getAlias(), clientModel.getRealm());
        if (federatedIdentity == null || federatedIdentity.getToken() == null) {
            eventBuilder.detail("reason", "requested_issuer is not linked");
            eventBuilder.error("invalid_token");
            return exchangeNotLinked(uriInfo, clientModel, userSessionModel, userModel);
        }
        String extractTokenFromResponse = extractTokenFromResponse(federatedIdentity.getToken(), getAccessTokenResponseParameter());
        if (extractTokenFromResponse == null) {
            federatedIdentity.setToken((String) null);
            this.session.users().updateFederatedIdentity(clientModel.getRealm(), userModel, federatedIdentity);
            eventBuilder.detail("reason", "requested_issuer token expired");
            eventBuilder.error("invalid_token");
            return exchangeTokenExpired(uriInfo, clientModel, userSessionModel, userModel);
        }
        AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
        accessTokenResponse.setToken(extractTokenFromResponse);
        accessTokenResponse.setIdToken((String) null);
        accessTokenResponse.setRefreshToken((String) null);
        accessTokenResponse.setRefreshExpiresIn(0L);
        accessTokenResponse.getOtherClaims().clear();
        accessTokenResponse.getOtherClaims().put("issued_token_type", "urn:ietf:params:oauth:token-type:access_token");
        accessTokenResponse.getOtherClaims().put("account-link-url", getLinkingUrl(uriInfo, clientModel, userSessionModel));
        eventBuilder.success();
        return Response.ok(accessTokenResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
    }

    protected Response exchangeSessionToken(UriInfo uriInfo, EventBuilder eventBuilder, ClientModel clientModel, UserSessionModel userSessionModel, UserModel userModel) {
        String note = userSessionModel.getNote("FEDERATED_ACCESS_TOKEN");
        if (note == null) {
            eventBuilder.detail("reason", "requested_issuer is not linked");
            eventBuilder.error("invalid_token");
            return exchangeTokenExpired(uriInfo, clientModel, userSessionModel, userModel);
        }
        AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
        accessTokenResponse.setToken(note);
        accessTokenResponse.setIdToken((String) null);
        accessTokenResponse.setRefreshToken((String) null);
        accessTokenResponse.setRefreshExpiresIn(0L);
        accessTokenResponse.getOtherClaims().clear();
        accessTokenResponse.getOtherClaims().put("issued_token_type", "urn:ietf:params:oauth:token-type:access_token");
        accessTokenResponse.getOtherClaims().put("account-link-url", getLinkingUrl(uriInfo, clientModel, userSessionModel));
        eventBuilder.success();
        return Response.ok(accessTokenResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
    }

    public BrokeredIdentityContext getFederatedIdentity(String str) {
        String extractTokenFromResponse = extractTokenFromResponse(str, getAccessTokenResponseParameter());
        if (extractTokenFromResponse == null) {
            throw new IdentityBrokerException("No access token available in OAuth server response: " + str);
        }
        BrokeredIdentityContext doGetFederatedIdentity = doGetFederatedIdentity(extractTokenFromResponse);
        doGetFederatedIdentity.getContextData().put("FEDERATED_ACCESS_TOKEN", extractTokenFromResponse);
        return doGetFederatedIdentity;
    }

    protected String getAccessTokenResponseParameter() {
        return "access_token";
    }

    protected BrokeredIdentityContext doGetFederatedIdentity(String str) {
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public UriBuilder createAuthorizationUrl(AuthenticationRequest authenticationRequest) {
        UriBuilder queryParam = UriBuilder.fromUri(m106getConfig().getAuthorizationUrl()).queryParam("scope", new Object[]{m106getConfig().getDefaultScope()}).queryParam("state", new Object[]{authenticationRequest.getState().getEncoded()}).queryParam("response_type", new Object[]{"code"}).queryParam("client_id", new Object[]{m106getConfig().getClientId()}).queryParam("redirect_uri", new Object[]{authenticationRequest.getRedirectUri()});
        String clientNote = authenticationRequest.getAuthenticationSession().getClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM);
        if (m106getConfig().isLoginHint() && clientNote != null) {
            queryParam.queryParam(OIDCLoginProtocol.LOGIN_HINT_PARAM, new Object[]{clientNote});
        }
        String prompt = m106getConfig().getPrompt();
        if (prompt == null || prompt.isEmpty()) {
            prompt = authenticationRequest.getAuthenticationSession().getClientNote(OIDCLoginProtocol.PROMPT_PARAM);
        }
        if (prompt != null) {
            queryParam.queryParam(OIDCLoginProtocol.PROMPT_PARAM, new Object[]{prompt});
        }
        String clientNote2 = authenticationRequest.getAuthenticationSession().getClientNote("nonce");
        if (clientNote2 == null || clientNote2.isEmpty()) {
            clientNote2 = UUID.randomUUID().toString();
            authenticationRequest.getAuthenticationSession().setClientNote("nonce", clientNote2);
        }
        queryParam.queryParam("nonce", new Object[]{clientNote2});
        String clientNote3 = authenticationRequest.getAuthenticationSession().getClientNote(OIDCLoginProtocol.ACR_PARAM);
        if (clientNote3 != null) {
            queryParam.queryParam(OIDCLoginProtocol.ACR_PARAM, new Object[]{clientNote3});
        }
        for (String str : Arrays.asList((m106getConfig().getForwardParameters() != null ? m106getConfig().getForwardParameters() : StackoverflowIdentityProvider.DEFAULT_SCOPE).split("\\s*,\\s*"))) {
            String clientNote4 = authenticationRequest.getAuthenticationSession().getClientNote(AuthorizationEndpoint.LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + str.trim());
            if (clientNote4 != null && !clientNote4.isEmpty()) {
                queryParam.queryParam(str, new Object[]{clientNote4});
            }
        }
        return queryParam;
    }

    public String getJsonProperty(JsonNode jsonNode, String str) {
        String asText;
        if (!jsonNode.has(str) || jsonNode.get(str).isNull() || (asText = jsonNode.get(str).asText()) == null || asText.isEmpty()) {
            return null;
        }
        return asText;
    }

    public JsonNode asJsonNode(String str) throws IOException {
        return mapper.readTree(str);
    }

    protected abstract String getDefaultScopes();

    public void authenticationFinished(AuthenticationSessionModel authenticationSessionModel, BrokeredIdentityContext brokeredIdentityContext) {
        String str = (String) brokeredIdentityContext.getContextData().get("FEDERATED_ACCESS_TOKEN");
        if (str != null) {
            authenticationSessionModel.setUserSessionNote("FEDERATED_ACCESS_TOKEN", str);
        }
    }

    protected String getProfileEndpointForValidation(EventBuilder eventBuilder) {
        eventBuilder.detail("reason", "exchange unsupported");
        eventBuilder.error("invalid_token");
        throw new ErrorResponseException("invalid_token", "invalid token", Response.Status.BAD_REQUEST);
    }

    protected BrokeredIdentityContext extractIdentityFromProfile(EventBuilder eventBuilder, JsonNode jsonNode) {
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public BrokeredIdentityContext validateExternalTokenThroughUserInfo(EventBuilder eventBuilder, String str, String str2) {
        eventBuilder.detail("validation_method", "user info");
        SimpleHttp.Response response = null;
        int i = 0;
        try {
            response = buildUserInfoRequest(str, getProfileEndpointForValidation(eventBuilder)).asResponse();
            i = response.getStatus();
        } catch (IOException e) {
            logger.debug("Failed to invoke user info for external exchange", e);
        }
        if (i != 200) {
            logger.debug("Failed to invoke user info status: " + i);
            eventBuilder.detail("reason", "user info call failure");
            eventBuilder.error("invalid_token");
            throw new ErrorResponseException("invalid_token", "invalid token", Response.Status.BAD_REQUEST);
        }
        try {
            BrokeredIdentityContext extractIdentityFromProfile = extractIdentityFromProfile(eventBuilder, response.asJson());
            if (extractIdentityFromProfile.getId() != null) {
                return extractIdentityFromProfile;
            }
            eventBuilder.detail("reason", "user info call failure");
            eventBuilder.error("invalid_token");
            throw new ErrorResponseException("invalid_token", "invalid token", Response.Status.BAD_REQUEST);
        } catch (IOException e2) {
            eventBuilder.detail("reason", "user info call failure");
            eventBuilder.error("invalid_token");
            throw new ErrorResponseException("invalid_token", "invalid token", Response.Status.BAD_REQUEST);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SimpleHttp buildUserInfoRequest(String str, String str2) {
        return SimpleHttp.doGet(str2, this.session).header(Cors.AUTHORIZATION_HEADER, "Bearer " + str);
    }

    protected boolean supportsExternalExchange() {
        return false;
    }

    public boolean isIssuer(String str, MultivaluedMap<String, String> multivaluedMap) {
        if (!supportsExternalExchange()) {
            return false;
        }
        String str2 = (String) multivaluedMap.getFirst("subject_issuer");
        if (str2 == null) {
            str2 = str;
        }
        return str2.equals(m106getConfig().getAlias());
    }

    public final BrokeredIdentityContext exchangeExternal(EventBuilder eventBuilder, MultivaluedMap<String, String> multivaluedMap) {
        if (!supportsExternalExchange()) {
            return null;
        }
        BrokeredIdentityContext exchangeExternalImpl = exchangeExternalImpl(eventBuilder, multivaluedMap);
        if (exchangeExternalImpl != null) {
            exchangeExternalImpl.setIdp(this);
            exchangeExternalImpl.setIdpConfig(m106getConfig());
        }
        return exchangeExternalImpl;
    }

    protected BrokeredIdentityContext exchangeExternalImpl(EventBuilder eventBuilder, MultivaluedMap<String, String> multivaluedMap) {
        return exchangeExternalUserInfoValidationOnly(eventBuilder, multivaluedMap);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public BrokeredIdentityContext exchangeExternalUserInfoValidationOnly(EventBuilder eventBuilder, MultivaluedMap<String, String> multivaluedMap) {
        String str = (String) multivaluedMap.getFirst("subject_token");
        if (str == null) {
            eventBuilder.detail("reason", "subject_token param unset");
            eventBuilder.error("invalid_token");
            throw new ErrorResponseException("invalid_token", "token not set", Response.Status.BAD_REQUEST);
        }
        String str2 = (String) multivaluedMap.getFirst("subject_token_type");
        if (str2 == null) {
            str2 = "urn:ietf:params:oauth:token-type:access_token";
        }
        if ("urn:ietf:params:oauth:token-type:access_token".equals(str2)) {
            return validateExternalTokenThroughUserInfo(eventBuilder, str, str2);
        }
        eventBuilder.detail("reason", "subject_token_type invalid");
        eventBuilder.error("invalid_token_type");
        throw new ErrorResponseException("invalid_token", "invalid token type", Response.Status.BAD_REQUEST);
    }

    public void exchangeExternalComplete(UserSessionModel userSessionModel, BrokeredIdentityContext brokeredIdentityContext, MultivaluedMap<String, String> multivaluedMap) {
        if (brokeredIdentityContext.getContextData().containsKey(OIDCIdentityProvider.VALIDATED_ID_TOKEN)) {
            userSessionModel.setNote("FEDERATED_ACCESS_TOKEN", (String) multivaluedMap.getFirst("subject_token"));
        }
        if (brokeredIdentityContext.getContextData().containsKey(OIDCIdentityProvider.VALIDATED_ID_TOKEN)) {
            userSessionModel.setNote(OIDCIdentityProvider.FEDERATED_ID_TOKEN, (String) multivaluedMap.getFirst("subject_token"));
        }
        userSessionModel.setNote(OIDCIdentityProvider.EXCHANGE_PROVIDER, m106getConfig().getAlias());
    }
}
