package org.keycloak.services.resources;

import com.google.api.client.http.HttpMethods;
import com.google.api.client.http.UrlEncodedParser;
import java.security.PrivateKey;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.container.ResourceContext;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Providers;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.jose.jws.JWSBuilder;
import org.jboss.resteasy.jose.jws.JWSInput;
import org.jboss.resteasy.jose.jws.crypto.RSAProvider;
import org.jboss.resteasy.jwt.JsonSerialization;
import org.jboss.resteasy.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.jboss.resteasy.spi.HttpResponse;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakTransaction;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredCredentialModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.SkeletonKeyToken;
import org.keycloak.representations.idm.admin.LogoutAction;
import org.keycloak.services.managers.AccessCodeEntry;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ResourceAdminManager;
import org.keycloak.services.managers.TokenManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.flows.Flows;
import org.keycloak.services.resources.flows.FormFlows;
import org.keycloak.services.resources.flows.OAuthFlows;
import org.keycloak.services.validation.Validation;

/* loaded from: input_file:WEB-INF/lib/keycloak-services-1.0-alpha-1-12062013.jar:org/keycloak/services/resources/TokenService.class */
public class TokenService {
    protected static final Logger logger = Logger.getLogger(TokenService.class);
    protected RealmModel realm;
    protected TokenManager tokenManager;

    @Context
    protected Providers providers;

    @Context
    protected SecurityContext securityContext;

    @Context
    protected UriInfo uriInfo;

    @Context
    protected HttpHeaders headers;

    @Context
    protected HttpRequest request;

    @Context
    protected HttpResponse response;

    @Context
    protected KeycloakSession session;

    @Context
    protected KeycloakTransaction transaction;

    @Context
    protected ResourceContext resourceContext;
    protected AuthenticationManager authManager = new AuthenticationManager();
    private ResourceAdminManager resourceAdminManager = new ResourceAdminManager();

    public TokenService(RealmModel realmModel, TokenManager tokenManager) {
        this.realm = realmModel;
        this.tokenManager = tokenManager;
    }

    public static UriBuilder tokenServiceBaseUrl(UriInfo uriInfo) {
        return uriInfo.getBaseUriBuilder().path(RealmsResource.class).path(RealmsResource.class, "getTokenService");
    }

    public static UriBuilder accessCodeToTokenUrl(UriInfo uriInfo) {
        return tokenServiceBaseUrl(uriInfo).path(TokenService.class, "accessCodeToToken");
    }

    public static UriBuilder grantAccessTokenUrl(UriInfo uriInfo) {
        return tokenServiceBaseUrl(uriInfo).path(TokenService.class, "grantAccessToken");
    }

    public static UriBuilder grantIdentityTokenUrl(UriInfo uriInfo) {
        return tokenServiceBaseUrl(uriInfo).path(TokenService.class, "grantIdentityToken");
    }

    public static UriBuilder loginPageUrl(UriInfo uriInfo) {
        return tokenServiceBaseUrl(uriInfo).path(TokenService.class, "loginPage");
    }

    public static UriBuilder processLoginUrl(UriInfo uriInfo) {
        return tokenServiceBaseUrl(uriInfo).path(TokenService.class, "processLogin");
    }

    public static UriBuilder processOAuthUrl(UriInfo uriInfo) {
        return tokenServiceBaseUrl(uriInfo).path(TokenService.class, "processOAuth");
    }

    @Path("grants/identity-token")
    @Consumes({UrlEncodedParser.CONTENT_TYPE})
    @POST
    @Produces({"application/json"})
    public Response grantIdentityToken(MultivaluedMap<String, String> multivaluedMap) {
        String str = (String) multivaluedMap.getFirst("username");
        if (str == null) {
            throw new NotAuthorizedException("No user", new Object[0]);
        }
        if (!this.realm.isEnabled()) {
            throw new NotAuthorizedException("Disabled realm", new Object[0]);
        }
        AuthenticationManager.AuthenticationStatus authenticateForm = this.authManager.authenticateForm(this.realm, this.realm.getUser(str), multivaluedMap);
        if (authenticateForm != AuthenticationManager.AuthenticationStatus.SUCCESS) {
            throw new NotAuthorizedException(authenticateForm, new Object[0]);
        }
        this.tokenManager = new TokenManager();
        SkeletonKeyToken createIdentityToken = this.authManager.createIdentityToken(this.realm, str);
        return Response.ok(accessTokenResponse(createIdentityToken, this.tokenManager.encodeToken(this.realm, createIdentityToken)), MediaType.APPLICATION_JSON_TYPE).build();
    }

    @Path("grants/access")
    @Consumes({UrlEncodedParser.CONTENT_TYPE})
    @POST
    @Produces({"application/json"})
    public Response grantAccessToken(MultivaluedMap<String, String> multivaluedMap) {
        String str = (String) multivaluedMap.getFirst("username");
        if (str == null) {
            throw new NotAuthorizedException("No user", new Object[0]);
        }
        if (!this.realm.isEnabled()) {
            throw new NotAuthorizedException("Disabled realm", new Object[0]);
        }
        UserModel user = this.realm.getUser(str);
        if (user == null) {
            throw new NotAuthorizedException("No user", new Object[0]);
        }
        if (!user.isEnabled()) {
            throw new NotAuthorizedException("Disabled user.", new Object[0]);
        }
        if (this.authManager.authenticateForm(this.realm, user, multivaluedMap) != AuthenticationManager.AuthenticationStatus.SUCCESS) {
            throw new NotAuthorizedException("Auth failed", new Object[0]);
        }
        SkeletonKeyToken createAccessToken = this.tokenManager.createAccessToken(this.realm, user);
        return Response.ok(accessTokenResponse(createAccessToken, this.tokenManager.encodeToken(this.realm, createAccessToken)), MediaType.APPLICATION_JSON_TYPE).build();
    }

    @POST
    @Path("auth/request/login")
    @Consumes({UrlEncodedParser.CONTENT_TYPE})
    public Response processLogin(@QueryParam("client_id") String str, @QueryParam("scope") String str2, @QueryParam("state") String str3, @QueryParam("redirect_uri") String str4, MultivaluedMap<String, String> multivaluedMap) {
        logger.debug("TokenService.processLogin");
        OAuthFlows oauth = Flows.oauth(this.realm, this.request, this.uriInfo, this.authManager, this.tokenManager);
        if (!this.realm.isEnabled()) {
            return oauth.forwardToSecurityFailure("Realm not enabled.");
        }
        UserModel user = this.realm.getUser(str);
        if (user == null) {
            return oauth.forwardToSecurityFailure("Unknown login requester.");
        }
        if (!user.isEnabled()) {
            return oauth.forwardToSecurityFailure("Login requester not enabled.");
        }
        String verifyRedirectUri = verifyRedirectUri(str4, user);
        if (verifyRedirectUri == null) {
            return oauth.forwardToSecurityFailure("Invalid redirect_uri.");
        }
        if (multivaluedMap.containsKey("cancel")) {
            return oauth.redirectError(user, "access_denied", str3, verifyRedirectUri);
        }
        UserModel user2 = this.realm.getUser((String) multivaluedMap.getFirst("username"));
        if (user2 == null) {
            return Flows.forms(this.realm, this.request, this.uriInfo).setError(Messages.INVALID_USER).setFormData(multivaluedMap).forwardToLogin();
        }
        isTotpConfigurationRequired(user2);
        isEmailVerificationRequired(user2);
        switch (this.authManager.authenticateForm(this.realm, user2, multivaluedMap)) {
            case SUCCESS:
            case ACTIONS_REQUIRED:
                return oauth.processAccessCode(str2, str3, verifyRedirectUri, user, user2);
            case ACCOUNT_DISABLED:
                return Flows.forms(this.realm, this.request, this.uriInfo).setError(Messages.ACCOUNT_DISABLED).setFormData(multivaluedMap).forwardToLogin();
            case MISSING_TOTP:
                return Flows.forms(this.realm, this.request, this.uriInfo).setFormData(multivaluedMap).forwardToLoginTotp();
            default:
                return Flows.forms(this.realm, this.request, this.uriInfo).setError(Messages.INVALID_USER).setFormData(multivaluedMap).forwardToLogin();
        }
    }

    @Path("auth/request/login-actions")
    public RequiredActionsService getRequiredActionsService() {
        RequiredActionsService requiredActionsService = new RequiredActionsService(this.realm, this.tokenManager);
        this.resourceContext.initResource(requiredActionsService);
        return requiredActionsService;
    }

    private void isTotpConfigurationRequired(UserModel userModel) {
        Iterator<RequiredCredentialModel> it = this.realm.getRequiredCredentials().iterator();
        while (it.hasNext()) {
            if (it.next().getType().equals("totp") && !userModel.isTotp()) {
                userModel.addRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP);
                logger.debug("User is required to configure totp");
            }
        }
    }

    private void isEmailVerificationRequired(UserModel userModel) {
        if (!this.realm.isVerifyEmail() || userModel.isEmailVerified()) {
            return;
        }
        userModel.addRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL);
        logger.debug("User is required to verify email");
    }

    @POST
    @Path("registrations")
    @Consumes({UrlEncodedParser.CONTENT_TYPE})
    public Response processRegister(@QueryParam("client_id") String str, @QueryParam("scope") String str2, @QueryParam("state") String str3, @QueryParam("redirect_uri") String str4, MultivaluedMap<String, String> multivaluedMap) {
        Response processRegisterImpl = processRegisterImpl(str, str2, str3, str4, multivaluedMap, false);
        if (processRegisterImpl == null && !this.request.wasForwarded()) {
            return processLogin(str, str2, str3, str4, multivaluedMap);
        }
        logger.warn("Registration attempt wasn't successful. Request already forwarded or redirected.");
        return processRegisterImpl;
    }

    public Response processRegisterImpl(String str, String str2, String str3, String str4, MultivaluedMap<String, String> multivaluedMap, boolean z) {
        OAuthFlows oauth = Flows.oauth(this.realm, this.request, this.uriInfo, this.authManager, this.tokenManager);
        if (!this.realm.isEnabled()) {
            logger.warn("Realm not enabled");
            return oauth.forwardToSecurityFailure("Realm not enabled");
        }
        UserModel user = this.realm.getUser(str);
        if (user == null) {
            logger.warn("Unknown login requester.");
            return oauth.forwardToSecurityFailure("Unknown login requester.");
        }
        if (!user.isEnabled()) {
            logger.warn("Login requester not enabled.");
            return oauth.forwardToSecurityFailure("Login requester not enabled.");
        }
        if (verifyRedirectUri(str4, user) == null) {
            return oauth.forwardToSecurityFailure("Invalid redirect_uri.");
        }
        if (!this.realm.isRegistrationAllowed()) {
            logger.warn("Registration not allowed");
            return oauth.forwardToSecurityFailure("Registration not allowed");
        }
        LinkedList linkedList = new LinkedList();
        Iterator<RequiredCredentialModel> it = this.realm.getRequiredCredentials().iterator();
        while (it.hasNext()) {
            linkedList.add(it.next().getType());
        }
        String validateRegistrationForm = Validation.validateRegistrationForm(multivaluedMap, linkedList);
        if (validateRegistrationForm == null) {
            validateRegistrationForm = Validation.validatePassword(multivaluedMap, this.realm.getPasswordPolicy());
        }
        if (validateRegistrationForm != null) {
            return Flows.forms(this.realm, this.request, this.uriInfo).setError(validateRegistrationForm).setFormData(multivaluedMap).setSocialRegistration(z).forwardToRegistration();
        }
        String str5 = (String) multivaluedMap.getFirst("username");
        if (this.realm.getUser(str5) != null) {
            return Flows.forms(this.realm, this.request, this.uriInfo).setError(Messages.USERNAME_EXISTS).setFormData(multivaluedMap).setSocialRegistration(z).forwardToRegistration();
        }
        UserModel addUser = this.realm.addUser(str5);
        addUser.setEnabled(true);
        addUser.setFirstName((String) multivaluedMap.getFirst(UserModel.FIRST_NAME));
        addUser.setLastName((String) multivaluedMap.getFirst(UserModel.LAST_NAME));
        addUser.setEmail((String) multivaluedMap.getFirst(UserModel.EMAIL));
        if (linkedList.contains("password")) {
            UserCredentialModel userCredentialModel = new UserCredentialModel();
            userCredentialModel.setType("password");
            userCredentialModel.setValue((String) multivaluedMap.getFirst("password"));
            this.realm.updateCredential(addUser, userCredentialModel);
        }
        Iterator<String> it2 = this.realm.getDefaultRoles().iterator();
        while (it2.hasNext()) {
            this.realm.grantRole(addUser, this.realm.getRole(it2.next()));
        }
        for (ApplicationModel applicationModel : this.realm.getApplications()) {
            Iterator<String> it3 = applicationModel.getDefaultRoles().iterator();
            while (it3.hasNext()) {
                applicationModel.grantRole(addUser, applicationModel.getRole(it3.next()));
            }
        }
        return null;
    }

    @POST
    @Produces({"application/json"})
    @Path("access/codes")
    public Response accessCodeToToken(MultivaluedMap<String, String> multivaluedMap) {
        logger.debug("accessRequest <---");
        if (!this.realm.isEnabled()) {
            throw new NotAuthorizedException("Realm not enabled", new Object[0]);
        }
        String str = (String) multivaluedMap.getFirst(FormFlows.CODE);
        if (str == null) {
            logger.debug("code not specified");
            HashMap hashMap = new HashMap();
            hashMap.put(Messages.ERROR, "invalid_request");
            hashMap.put("error_description", "code not specified");
            return Response.status(Response.Status.BAD_REQUEST).entity(hashMap).type("application/json").build();
        }
        String str2 = (String) multivaluedMap.getFirst("client_id");
        if (str2 == null) {
            logger.debug("client_id not specified");
            HashMap hashMap2 = new HashMap();
            hashMap2.put(Messages.ERROR, "invalid_request");
            hashMap2.put("error_description", "client_id not specified");
            return Response.status(Response.Status.BAD_REQUEST).entity(hashMap2).type("application/json").build();
        }
        UserModel user = this.realm.getUser(str2);
        if (user == null) {
            logger.debug("Could not find user");
            HashMap hashMap3 = new HashMap();
            hashMap3.put(Messages.ERROR, "invalid_client");
            hashMap3.put("error_description", "Could not find user");
            return Response.status(Response.Status.BAD_REQUEST).entity(hashMap3).type("application/json").build();
        }
        if (!user.isEnabled()) {
            logger.debug("user is not enabled");
            HashMap hashMap4 = new HashMap();
            hashMap4.put(Messages.ERROR, "invalid_client");
            hashMap4.put("error_description", "User is not enabled");
            return Response.status(Response.Status.BAD_REQUEST).entity(hashMap4).type("application/json").build();
        }
        if (this.authManager.authenticateForm(this.realm, user, multivaluedMap) != AuthenticationManager.AuthenticationStatus.SUCCESS) {
            HashMap hashMap5 = new HashMap();
            hashMap5.put(Messages.ERROR, "unauthorized_client");
            return Response.status(Response.Status.BAD_REQUEST).entity(hashMap5).type("application/json").build();
        }
        JWSInput jWSInput = new JWSInput(str, this.providers);
        boolean z = false;
        try {
            z = RSAProvider.verify(jWSInput, this.realm.getPublicKey());
        } catch (Exception e) {
            logger.debug("Failed to verify signature", e);
        }
        if (!z) {
            HashMap hashMap6 = new HashMap();
            hashMap6.put(Messages.ERROR, "invalid_grant");
            hashMap6.put("error_description", "Unable to verify code signature");
            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap6).build();
        }
        AccessCodeEntry pullAccessCode = this.tokenManager.pullAccessCode((String) jWSInput.readContent(String.class));
        if (pullAccessCode == null) {
            HashMap hashMap7 = new HashMap();
            hashMap7.put(Messages.ERROR, "invalid_grant");
            hashMap7.put("error_description", "Code not found");
            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap7).build();
        }
        if (pullAccessCode.isExpired()) {
            HashMap hashMap8 = new HashMap();
            hashMap8.put(Messages.ERROR, "invalid_grant");
            hashMap8.put("error_description", "Code is expired");
            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap8).build();
        }
        if (!pullAccessCode.getToken().isActive()) {
            HashMap hashMap9 = new HashMap();
            hashMap9.put(Messages.ERROR, "invalid_grant");
            hashMap9.put("error_description", "Token expired");
            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap9).build();
        }
        if (user.getLoginName().equals(pullAccessCode.getClient().getLoginName())) {
            logger.debug("accessRequest SUCCESS");
            return Cors.add(this.request, Response.ok(accessTokenResponse(this.realm.getPrivateKey(), pullAccessCode.getToken()))).allowedOrigins(user).allowedMethods(HttpMethods.POST).build();
        }
        HashMap hashMap10 = new HashMap();
        hashMap10.put(Messages.ERROR, "invalid_grant");
        hashMap10.put("error_description", "Auth error");
        return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap10).build();
    }

    protected AccessTokenResponse accessTokenResponse(PrivateKey privateKey, SkeletonKeyToken skeletonKeyToken) {
        try {
            return accessTokenResponse(skeletonKeyToken, new JWSBuilder().content(JsonSerialization.toByteArray(skeletonKeyToken, false)).rsa256(privateKey));
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    protected AccessTokenResponse accessTokenResponse(SkeletonKeyToken skeletonKeyToken, String str) {
        AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
        accessTokenResponse.setToken(str);
        accessTokenResponse.setTokenType("bearer");
        if (skeletonKeyToken.getExpiration() != 0) {
            accessTokenResponse.setExpiresIn(skeletonKeyToken.getExpiration() - (System.currentTimeMillis() / 1000));
        }
        return accessTokenResponse;
    }

    @GET
    @Path("login")
    public Response loginPage(@QueryParam("response_type") String str, @QueryParam("redirect_uri") String str2, @QueryParam("client_id") String str3, @QueryParam("scope") String str4, @QueryParam("state") String str5, @QueryParam("prompt") String str6) {
        logger.info("TokenService.loginPage");
        OAuthFlows oauth = Flows.oauth(this.realm, this.request, this.uriInfo, this.authManager, this.tokenManager);
        if (!this.realm.isEnabled()) {
            logger.warn("Realm not enabled");
            oauth.forwardToSecurityFailure("Realm not enabled");
            return null;
        }
        UserModel user = this.realm.getUser(str3);
        if (user == null) {
            logger.warn("Unknown login requester: " + str3);
            oauth.forwardToSecurityFailure("Unknown login requester.");
            this.transaction.rollback();
            return null;
        }
        if (!user.isEnabled()) {
            logger.warn("Login requester not enabled.");
            oauth.forwardToSecurityFailure("Login requester not enabled.");
            this.transaction.rollback();
            this.session.close();
            return null;
        }
        String verifyRedirectUri = verifyRedirectUri(str2, user);
        if (verifyRedirectUri == null) {
            return oauth.forwardToSecurityFailure("Invalid redirect_uri.");
        }
        logger.info("Checking roles...");
        RoleModel role = this.realm.getRole(Constants.APPLICATION_ROLE);
        RoleModel role2 = this.realm.getRole(Constants.IDENTITY_REQUESTER_ROLE);
        if (!this.realm.hasRole(user, role) && !this.realm.hasRole(user, role2)) {
            logger.warn("Login requester not allowed to request login.");
            oauth.forwardToSecurityFailure("Login requester not allowed to request login.");
            this.transaction.rollback();
            this.session.close();
            return null;
        }
        logger.info("Checking cookie...");
        UserModel authenticateIdentityCookie = this.authManager.authenticateIdentityCookie(this.realm, this.uriInfo, this.headers);
        if (authenticateIdentityCookie != null) {
            logger.debug(authenticateIdentityCookie.getLoginName() + " already logged in.");
            return oauth.processAccessCode(str4, str5, verifyRedirectUri, user, authenticateIdentityCookie);
        }
        if (str6 != null && str6.equals("none")) {
            return oauth.redirectError(user, "access_denied", str5, verifyRedirectUri);
        }
        logger.info("forwardToLogin() now...");
        return Flows.forms(this.realm, this.request, this.uriInfo).forwardToLogin();
    }

    @GET
    @Path("registrations")
    public Response registerPage(@QueryParam("response_type") String str, @QueryParam("redirect_uri") String str2, @QueryParam("client_id") String str3, @QueryParam("scope") String str4, @QueryParam("state") String str5) {
        logger.info("**********registerPage()");
        OAuthFlows oauth = Flows.oauth(this.realm, this.request, this.uriInfo, this.authManager, this.tokenManager);
        if (!this.realm.isEnabled()) {
            logger.warn("Realm not enabled");
            return oauth.forwardToSecurityFailure("Realm not enabled");
        }
        UserModel user = this.realm.getUser(str3);
        if (user == null) {
            logger.warn("Unknown login requester.");
            return oauth.forwardToSecurityFailure("Unknown login requester.");
        }
        if (!user.isEnabled()) {
            logger.warn("Login requester not enabled.");
            return oauth.forwardToSecurityFailure("Login requester not enabled.");
        }
        if (verifyRedirectUri(str2, user) == null) {
            return oauth.forwardToSecurityFailure("Invalid redirect_uri.");
        }
        if (this.realm.isRegistrationAllowed()) {
            this.authManager.expireIdentityCookie(this.realm, this.uriInfo);
            return Flows.forms(this.realm, this.request, this.uriInfo).forwardToRegistration();
        }
        logger.warn("Registration not allowed");
        return oauth.forwardToSecurityFailure("Registration not allowed");
    }

    @GET
    @Path(LogoutAction.LOGOUT_ACTION)
    @NoCache
    public Response logout(@QueryParam("redirect_uri") String str) {
        UserModel authenticateIdentityCookie = this.authManager.authenticateIdentityCookie(this.realm, this.uriInfo, this.headers);
        if (authenticateIdentityCookie != null) {
            logger.debug("Logging out: {0}", new Object[]{authenticateIdentityCookie.getLoginName()});
            this.authManager.expireIdentityCookie(this.realm, this.uriInfo);
            this.resourceAdminManager.singleLogOut(this.realm, authenticateIdentityCookie.getLoginName());
        }
        return Response.status(302).location(UriBuilder.fromUri(str).build(new Object[0])).build();
    }

    @POST
    @Path("oauth/grant")
    @Consumes({UrlEncodedParser.CONTENT_TYPE})
    public Response processOAuth(MultivaluedMap<String, String> multivaluedMap) {
        OAuthFlows oauth = Flows.oauth(this.realm, this.request, this.uriInfo, this.authManager, this.tokenManager);
        JWSInput jWSInput = new JWSInput((String) multivaluedMap.getFirst(FormFlows.CODE), this.providers);
        boolean z = false;
        try {
            z = RSAProvider.verify(jWSInput, this.realm.getPublicKey());
        } catch (Exception e) {
            logger.debug("Failed to verify signature", e);
        }
        if (!z) {
            return oauth.forwardToSecurityFailure("Illegal access code.");
        }
        AccessCodeEntry accessCode = this.tokenManager.getAccessCode((String) jWSInput.readContent(String.class));
        if (accessCode == null) {
            return oauth.forwardToSecurityFailure("Unknown access code.");
        }
        String redirectUri = accessCode.getRedirectUri();
        String state = accessCode.getState();
        if (multivaluedMap.containsKey("cancel")) {
            return redirectAccessDenied(redirectUri, state);
        }
        accessCode.setExpiration((System.currentTimeMillis() / 1000) + this.realm.getAccessCodeLifespan());
        return oauth.redirectAccessCode(accessCode, state, redirectUri);
    }

    protected Response redirectAccessDenied(String str, String str2) {
        UriBuilder queryParam = UriBuilder.fromUri(str).queryParam(Messages.ERROR, new Object[]{"access_denied"});
        if (str2 != null) {
            queryParam.queryParam("state", new Object[]{str2});
        }
        return Response.status(302).location(queryParam.build(new Object[0])).build();
    }

    protected String verifyRedirectUri(String str, UserModel userModel) {
        if (str == null) {
            if (userModel.getRedirectUris().size() == 1) {
                return userModel.getRedirectUris().iterator().next();
            }
            return null;
        }
        if (userModel.getRedirectUris().isEmpty()) {
            return str;
        }
        if (userModel.getRedirectUris().contains(str.indexOf(63) != -1 ? str.substring(0, str.indexOf(63)) : str)) {
            return str;
        }
        return null;
    }
}
