package net.shibboleth.idp.plugin.oidc.op.profile.flow;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.AccessTokenResponse;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.JWTAuthentication;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.pkce.CodeChallenge;
import com.nimbusds.oauth2.sdk.pkce.CodeChallengeMethod;
import com.nimbusds.oauth2.sdk.pkce.CodeVerifier;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSet;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import java.io.IOException;
import java.net.URI;
import java.security.PublicKey;
import java.text.ParseException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import net.minidev.json.JSONObject;
import net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractIssuedJWTSecurityTest;
import net.shibboleth.idp.plugin.oidc.op.profile.impl.ValidateGrantTest;
import net.shibboleth.idp.plugin.oidc.op.storage.RevocationCacheContexts;
import net.shibboleth.idp.plugin.oidc.op.token.support.AccessTokenClaimsSet;
import net.shibboleth.idp.plugin.oidc.op.token.support.AuthorizeCodeClaimsSet;
import net.shibboleth.idp.plugin.oidc.op.token.support.RefreshTokenClaimsSet;
import net.shibboleth.idp.plugin.oidc.op.token.support.TokenClaimsSet;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import net.shibboleth.utilities.java.support.security.impl.SecureRandomIdentifierGenerationStrategy;
import org.opensaml.storage.RevocationCache;
import org.opensaml.storage.StorageService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.webflow.context.ExternalContext;
import org.springframework.webflow.core.collection.MutableAttributeMap;
import org.springframework.webflow.executor.FlowExecutionResult;
import org.springframework.webflow.executor.FlowExecutor;
import org.testng.Assert;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.Factory;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/flow/TokenFlowTest.class */
public class TokenFlowTest extends AbstractOidcClientAuthenticationFlowTest {
    public static final String FLOW_ID = "oidc/token";
    String redirectUri;
    String clientIdPkcePlain;
    String clientIdPkcePlainUnforced;
    String clientIdPkceS256;
    String clientIdPkcePlainPublic;
    String clientIdPkcePlainUnforcedPublic;
    String clientIdPkceS256Public;
    String clientIdCustomTokens;
    String clientIdRefreshTokenRotation;
    String clientIdJwtAccessToken;
    String clientIdNoIdTokenViaRefreshToken;
    String codeVerifier;
    Scope scope;

    @Autowired
    @Qualifier("shibboleth.StorageService")
    StorageService storageService;

    @Autowired
    @Qualifier("shibboleth.oidc.RevocationCache")
    RevocationCache revocationCache;

    public TokenFlowTest() {
        super("oidc/token");
        this.redirectUri = "https://example.org/cb";
        this.clientIdPkcePlain = "mockClientIdPKCEPlain";
        this.clientIdPkcePlainUnforced = "mockClientIdPKCEPlainUnforced";
        this.clientIdPkceS256 = "mockClientIdPKCES256";
        this.clientIdPkcePlainPublic = "mockPublicClientIdPKCEPlain";
        this.clientIdPkcePlainUnforcedPublic = "mockPublicClientIdPKCEPlainUnforced";
        this.clientIdPkceS256Public = "mockPublicClientIdPKCES256";
        this.clientIdCustomTokens = "mockClientIdCustomTokens";
        this.clientIdRefreshTokenRotation = "mockClientIdRefreshTokenRotation";
        this.clientIdJwtAccessToken = "mockClientIdJwtAccessToken";
        this.clientIdNoIdTokenViaRefreshToken = "mockClientIdNoIdTokenViaRefreshToken";
        this.codeVerifier = "9234567812345678123456781234567812345678123456781234567812345678";
        this.scope = Scope.parse("openid profile email offline_access");
    }

    @AfterMethod
    public void removeMetadata() throws IOException {
        removeMetadata(this.storageService, this.clientId);
        removeMetadata(this.storageService, this.clientIdPkcePlain);
        removeMetadata(this.storageService, this.clientIdPkceS256);
        removeMetadata(this.storageService, this.clientIdCustomTokens);
        removeMetadata(this.storageService, this.clientIdRefreshTokenRotation);
        removeMetadata(this.storageService, this.clientIdJwtAccessToken);
        removeMetadata(this.storageService, this.clientIdNoIdTokenViaRefreshToken);
    }

    @Test
    public void testNoClientId() throws IOException, ParseException {
        setHttpFormRequest("POST", createRequestParameters(this.redirectUri, "authorization_code", "mockCode", null));
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_request");
        assertErrorDescriptionContains(launchExecution, "UnableToDecode");
    }

    @Test
    public void testNoGrantType() throws IOException, ParseException {
        setHttpFormRequest("POST", createRequestParameters(this.redirectUri, null, "mockCode", this.clientId));
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_request");
        assertErrorDescriptionContains(launchExecution, "UnableToDecode");
    }

    @Test
    public void testUntrustedClient() throws IOException, ParseException {
        setHttpFormRequest("POST", createRequestParameters(null, "authorization_code", "mockCode", this.clientId + "2"));
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_client");
    }

    @Test
    public void testUnauthorizedGrant() throws IOException, ParseException {
        setHttpFormRequest("POST", createRequestParameters(this.redirectUri, "authorization_code", "mockCode", this.clientId));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_client");
    }

    @Test
    public void testInvalidGrant() throws ParseException, IOException {
        setHttpFormRequest("POST", createRequestParameters(this.redirectUri, "authorization_code", "mockCode", this.clientId));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_grant");
    }

    @Test
    public void testNoScopesRegisteredWithOpenidScopeRequested() throws Exception {
        setHttpFormRequest("POST", createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientId, null, this.scope.toString()), this.clientId));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, null, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_scope");
    }

    @Test
    public void testNoScopesRegisteredWithoutOpenidScopeRequestedResourcesInMetadata() throws Exception {
        setHttpFormRequest("POST", createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientId, null, "profile"), this.clientId));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, null, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        Assert.assertNotNull(parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), AccessTokenResponse.class).getTokens().getAccessToken());
    }

    @Test
    public void testNoScopesRegisteredWithoutOpenidScopeRequestedNoResourcesInMetadata() throws Exception {
        setHttpFormRequest("POST", createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientId, null, "profile"), this.clientId));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, (Scope) null, false, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_target");
    }

    protected void initializeGrantAndRequest(String str, Map<String, String> map) throws IOException {
        initializeGrantAndRequest(str, map, true, null);
    }

    protected void initializeGrantAndRequest(String str, Map<String, String> map, boolean z, ClientAuthenticationMethod clientAuthenticationMethod) throws IOException {
        setHttpFormRequest("POST", map);
        if (z) {
            setBasicAuth(str, this.clientSecret);
        }
        if (clientAuthenticationMethod != null) {
            storeMetadata(this.storageService, str, this.clientSecret, this.scope, (JWSAlgorithm) null, clientAuthenticationMethod, new String[0]);
        } else {
            storeMetadata(this.storageService, str, this.clientSecret, this.scope, this.redirectUri);
        }
    }

    @Test
    public void testValidGrant() throws Exception {
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientId), this.clientId));
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        OIDCTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getAccessToken());
        Assert.assertNotNull(parseSuccessResponse.getTokens().getRefreshToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
        Assert.assertNull(getSidFromAccessToken(parseSuccessResponse.getTokens().getAccessToken()));
        Assert.assertNull(getSidFromRefreshToken(parseSuccessResponse.getTokens().getRefreshToken()));
        Assert.assertNull(getSidFromJWT(parseSuccessResponse.getOIDCTokens().getIDToken()));
    }

    @Test
    public void testValidGrantNoOpenId() throws Exception {
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientId, null, "profile email offline_access"), this.clientId));
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        AccessTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), AccessTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getAccessToken());
        Assert.assertNotNull(parseSuccessResponse.getTokens().getRefreshToken());
        Assert.assertNull(getSidFromAccessToken(parseSuccessResponse.getTokens().getAccessToken()));
        Assert.assertNull(getSidFromRefreshToken(parseSuccessResponse.getTokens().getRefreshToken()));
    }

    @Test
    public void testValidGrantNoOpenIdRefreshTokensDisabledInSSOProfile() throws Exception {
        initializeGrantAndRequest("mockClientIdNoRefreshTokensInSSOProfile", createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode("mockClientIdNoRefreshTokensInSSOProfile", null, "profile email offline_access"), "mockClientIdNoRefreshTokensInSSOProfile"));
        storeConsent(this.storageService, "jdoe", "mockClientIdNoRefreshTokensInSSOProfile", "mail");
        AccessTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), AccessTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getAccessToken());
        Assert.assertNull(parseSuccessResponse.getTokens().getRefreshToken());
    }

    @Test
    public void testValidGrantNoOpenIdRefreshTokensDisabledInTokenProfile() throws Exception {
        initializeGrantAndRequest("mockClientIdNoRefreshTokensInTokenProfile", createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode("mockClientIdNoRefreshTokensInTokenProfile", null, "profile email offline_access"), "mockClientIdNoRefreshTokensInTokenProfile"));
        storeConsent(this.storageService, "jdoe", "mockClientIdNoRefreshTokensInTokenProfile", "mail");
        AccessTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), AccessTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getAccessToken());
        Assert.assertNull(parseSuccessResponse.getTokens().getRefreshToken());
    }

    @Test
    public void testValidGrantWithSid() throws Exception {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCodeWithSid(this.clientId, generateIdentifier), this.clientId));
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        OIDCTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getAccessToken());
        Assert.assertNotNull(parseSuccessResponse.getTokens().getRefreshToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
        Assert.assertEquals(getSidFromAccessToken(parseSuccessResponse.getTokens().getAccessToken()), generateIdentifier);
        Assert.assertEquals(getSidFromRefreshToken(parseSuccessResponse.getTokens().getRefreshToken()), generateIdentifier);
        Assert.assertEquals(getSidFromJWT(parseSuccessResponse.getOIDCTokens().getIDToken()), generateIdentifier);
    }

    @Test
    public void testValidGrantNonMatchingRedirectURI() throws Exception {
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri + "wrong", "authorization_code", buildAuthorizationCode(this.clientId), this.clientId));
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_request");
    }

    @Test
    public void testValidGrantNoRedirectURISingleTrusted() throws Exception {
        initializeGrantAndRequest(this.clientId, createRequestParameters(null, "authorization_code", buildAuthorizationCode(this.clientId), this.clientId));
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        OIDCTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getAccessToken());
        Assert.assertNotNull(parseSuccessResponse.getTokens().getRefreshToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
    }

    @Test
    public void testValidGrantNoRedirectURISingleTrustedNotMatchingAuthzCode() throws Exception {
        initializeGrantAndRequest(this.clientId, createRequestParameters(null, "authorization_code", buildAuthorizationCode(this.clientId), this.clientId));
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        removeMetadata(this.storageService, this.clientId);
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri + "wrong");
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_request");
    }

    @Test
    public void testValidGrantNoRedirectURIMultipleTrusted() throws Exception {
        initializeGrantAndRequest(this.clientId, createRequestParameters(null, "authorization_code", buildAuthorizationCode(this.clientId), this.clientId));
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        removeMetadata(this.storageService, this.clientId);
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri, this.redirectUri + "another");
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_request");
    }

    @Test
    public void testValidGrantWithCustomTokens() throws Exception {
        initializeGrantAndRequest(this.clientIdCustomTokens, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientIdCustomTokens), this.clientId));
        storeConsent(this.storageService, "jdoe", this.clientIdCustomTokens, "mail");
        OIDCTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getAccessToken());
        Assert.assertNotNull(parseSuccessResponse.getTokens().getRefreshToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
        IDTokenClaimsSet iDTokenClaimsSet = new IDTokenClaimsSet(parseSuccessResponse.getOIDCTokens().getIDToken().getJWTClaimsSet());
        Assert.assertNotNull(iDTokenClaimsSet);
        Assert.assertNotNull(iDTokenClaimsSet.getStringClaim("custom_id_token_claim"));
        Assert.assertEquals(iDTokenClaimsSet.getStringClaim("custom_id_token_claim"), "value1");
        AccessTokenClaimsSet parse = AccessTokenClaimsSet.parse(parseSuccessResponse.getTokens().getAccessToken().getValue(), getDataSealer());
        String stringClaim = parse.getClaimsSet().getStringClaim("custom_access_token_claim");
        String stringClaim2 = parse.getClaimsSet().getStringClaim("custom_refresh_token_claim");
        Assert.assertNotNull(stringClaim);
        Assert.assertEquals(stringClaim, "value2");
        Assert.assertNull(stringClaim2);
        RefreshTokenClaimsSet parse2 = RefreshTokenClaimsSet.parse(parseSuccessResponse.getTokens().getRefreshToken().getValue(), getDataSealer());
        String stringClaim3 = parse2.getClaimsSet().getStringClaim("custom_access_token_claim");
        String stringClaim4 = parse2.getClaimsSet().getStringClaim("custom_refresh_token_claim");
        Assert.assertNotNull(stringClaim4);
        Assert.assertEquals(stringClaim4, "value3");
        Assert.assertNull(stringClaim3);
    }

    @Test
    public void testValidGrantWithWrongRegisteredAuthType() throws Exception {
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientId), this.clientId), true, ClientAuthenticationMethod.NONE);
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_request");
    }

    @Test
    public void testValidGrantWithoutAuthentication() throws Exception {
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientId), this.clientId), false, ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_client");
    }

    @Test
    public void testValidGrantRefreshTokensDisabledInSSOProfile() throws Exception {
        initializeGrantAndRequest("mockClientIdNoRefreshTokensInSSOProfile", createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode("mockClientIdNoRefreshTokensInSSOProfile"), "mockClientIdNoRefreshTokensInSSOProfile"));
        storeConsent(this.storageService, "jdoe", "mockClientIdNoRefreshTokensInSSOProfile", "mail");
        OIDCTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getAccessToken());
        Assert.assertNull(parseSuccessResponse.getTokens().getRefreshToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
    }

    @Test
    public void testValidGrantRefreshTokensDisabledInTokenProfile() throws Exception {
        initializeGrantAndRequest("mockClientIdNoRefreshTokensInTokenProfile", createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode("mockClientIdNoRefreshTokensInTokenProfile"), "mockClientIdNoRefreshTokensInTokenProfile"));
        storeConsent(this.storageService, "jdoe", "mockClientIdNoRefreshTokensInTokenProfile", "mail");
        OIDCTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getAccessToken());
        Assert.assertNull(parseSuccessResponse.getTokens().getRefreshToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
    }

    @Test
    public void testValidGrantWithRequestedScope() throws Exception {
        Map<String, String> createRequestParameters = createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientId), this.clientId);
        createRequestParameters.put("scope", "openid profile");
        initializeGrantAndRequest(this.clientId, createRequestParameters);
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        OIDCTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getAccessToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
        AccessTokenClaimsSet parse = AccessTokenClaimsSet.parse(parseSuccessResponse.getTokens().getAccessToken().getValue(), getDataSealer());
        Assert.assertTrue(parse.getScope().contains("openid"));
        Assert.assertTrue(parse.getScope().contains("profile"));
        Assert.assertFalse(parse.getScope().contains("email"));
    }

    @Test
    public void testValidLegacyGrant() throws Exception {
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "authorization_code", buildLegacyAuthorizationCode(this.clientId, new String[0]), this.clientId));
        OIDCTokenResponse oIDCTokenResponse = (OIDCTokenResponse) parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class);
        AccessToken accessToken = oIDCTokenResponse.getTokens().getAccessToken();
        Assert.assertNotNull(accessToken);
        Assert.assertNotNull(oIDCTokenResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(oIDCTokenResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
        Assert.assertNull(getSidFromAccessToken(accessToken));
        Assert.assertNull(getSidFromJWT(oIDCTokenResponse.getOIDCTokens().getIDToken()));
        validateConsentFromAccessToken(oIDCTokenResponse, false);
    }

    @Test
    public void testValidLegacyConsentGrant() throws Exception {
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "authorization_code", buildLegacyAuthorizationCode(this.clientId, "mail"), this.clientId));
        OIDCTokenResponse oIDCTokenResponse = (OIDCTokenResponse) parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class);
        AccessToken accessToken = oIDCTokenResponse.getTokens().getAccessToken();
        Assert.assertNotNull(accessToken);
        Assert.assertNotNull(oIDCTokenResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(oIDCTokenResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
        Assert.assertNull(getSidFromAccessToken(accessToken));
        Assert.assertNull(getSidFromJWT(oIDCTokenResponse.getOIDCTokens().getIDToken()));
        validateConsentFromAccessToken(oIDCTokenResponse, true);
    }

    protected void validateConsentFromAccessToken(OIDCTokenResponse oIDCTokenResponse, boolean z) throws Exception {
        AccessTokenClaimsSet unwrapAccessToken = unwrapAccessToken(oIDCTokenResponse);
        Assert.assertTrue(unwrapAccessToken.getClaimsSet().getClaims().containsKey("cnsnt"));
        Assert.assertEquals(unwrapAccessToken.getClaimsSet().getBooleanClaim("cnsnt").booleanValue(), z);
        Assert.assertEquals(unwrapAccessToken.isConsentEnabled(), z);
    }

    @Test
    public void testValidGrantSaml() throws Exception {
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientIdSaml), this.clientIdSaml));
        setBasicAuth(this.clientIdSaml, this.clientSecretSaml);
        storeConsent(this.storageService, "jdoe", this.clientIdSaml, "mail");
        OIDCTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getAccessToken());
        JWT iDToken = parseSuccessResponse.getOIDCTokens().getIDToken();
        Assert.assertNotNull(iDToken);
        Assert.assertEquals(iDToken.getJWTClaimsSet().getClaim("email"), "jdoe@example.org");
        Assert.assertNotNull(iDToken.getJWTClaimsSet().getClaim("at_hash"));
    }

    protected String buildAuthorizationCode(String str) throws Exception {
        return buildAuthorizationCode(str, null);
    }

    protected String buildAuthorizationCodeWithSid(String str, String str2) throws Exception {
        return buildAuthorizationCodeWithSid(str, null, null, null, null, "openid profile email offline_access", str2);
    }

    protected String buildAuthorizationCode(String str, String str2) throws Exception {
        return buildAuthorizationCode(str, str2, null, null, null);
    }

    protected String buildAuthorizationCode(String str, String str2, String str3) throws Exception {
        return buildAuthorizationCode(str, str2, null, null, null, str3);
    }

    protected String buildAuthorizationCode(String str, String str2, JSONObject jSONObject, JSONObject jSONObject2, JSONObject jSONObject3) throws Exception {
        return buildAuthorizationCode(str, str2, jSONObject, jSONObject2, jSONObject3, "openid profile email offline_access");
    }

    protected String buildAuthorizationCode(String str, String str2, JSONObject jSONObject, JSONObject jSONObject2, JSONObject jSONObject3, String str3) throws Exception {
        return buildAuthorizationCodeWithSid(str, str2, jSONObject, jSONObject2, jSONObject3, str3, null);
    }

    protected String buildAuthorizationCodeWithSid(String str, String str2, JSONObject jSONObject, JSONObject jSONObject2, JSONObject jSONObject3, String str3, String str4) throws Exception {
        AuthorizeCodeClaimsSet.Builder builder = new AuthorizeCodeClaimsSet.Builder();
        builder.setJWTID(new SecureRandomIdentifierGenerationStrategy()).setClientID(new ClientID(str)).setIssuer("https://op.example.org").setPrincipal("jdoe").setSubject("mock").setIssuedAt(Instant.now()).setExpiresAt(Instant.now().plusSeconds(100L)).setAuthenticationTime(Instant.now()).setRedirectURI(new URI(this.redirectUri)).setScope(Scope.parse(str3)).setSessionIdentifier(str4).setCodeChallenge(str2);
        if (jSONObject != null) {
            builder.setDlClaims(new ClaimsSet(jSONObject));
        }
        if (jSONObject2 != null) {
            builder.setDlClaimsID(new ClaimsSet(jSONObject2));
        }
        if (jSONObject3 != null) {
            builder.setDlClaimsUI(new ClaimsSet(jSONObject3));
        }
        return builder.build().serialize(getDataSealer());
    }

    protected String buildLegacyAuthorizationCode(String str, String... strArr) throws Exception {
        return new AuthorizationCode(getDataSealer().wrap(buildJsonForLegacyToken("jdoe", str, Scope.parse("openid email"), "ac", strArr), Instant.now().plusSeconds(30L))).getValue();
    }

    protected String buildLegacyRefreshToken(String str, String... strArr) throws Exception {
        return new RefreshToken(getDataSealer().wrap(buildJsonForLegacyToken("jdoe", str, Scope.parse("openid email"), "rf", strArr), Instant.now().plusSeconds(30L))).getValue();
    }

    protected TokenClaimsSet buildDefaultClaimsSet(String str, Collection<String> collection) throws Exception {
        return buildDefaultClaimsSet(str, collection, Instant.now());
    }

    protected TokenClaimsSet buildDefaultClaimsSet(String str, Collection<String> collection, Instant instant) throws Exception {
        Instant now = Instant.now();
        AuthorizeCodeClaimsSet.Builder builder = new AuthorizeCodeClaimsSet.Builder();
        builder.setJWTID(new SecureRandomIdentifierGenerationStrategy()).setClientID(new ClientID(str)).setIssuer(this.issuer).setPrincipal("jdoe").setSubject("mock").setIssuedAt(now).setExpiresAt(now.plusSeconds(100L)).setAuthenticationTime(instant).setRedirectURI(new URI(this.redirectUri)).setAudience(collection).setScope(this.scope == null ? new Scope() : this.scope);
        return builder.build();
    }

    protected String buildRefreshToken(String str, String str2, String str3, Collection<String> collection, String... strArr) throws Exception {
        return new RefreshToken(new RefreshTokenClaimsSet.Builder(buildDefaultClaimsSet(str, collection), Instant.now(), Instant.now().plus((TemporalAmount) Duration.ofHours(1L))).setRootTokenIdentifier(str3).setJWTID(str2).build().serialize(getDataSealer())).getValue();
    }

    protected String buildRefreshToken(String str, String str2, String str3, Collection<String> collection, Instant instant, Instant instant2, String... strArr) throws Exception {
        return buildRefreshToken(str, str2, str3, collection, instant, instant2, Instant.now().plus((TemporalAmount) Duration.ofHours(1L)), strArr);
    }

    protected String buildRefreshToken(String str, String str2, String str3, Collection<String> collection, Instant instant, Instant instant2, Instant instant3, String... strArr) throws Exception {
        return new RefreshToken(new RefreshTokenClaimsSet.Builder(buildDefaultClaimsSet(str, collection, instant), Instant.now(), instant3).setRootTokenIdentifier(str3).setJWTID(str2).addCustomClaim("c_exp", Date.from(instant2)).build().serialize(getDataSealer())).getValue();
    }

    protected String buildRefreshTokenWithSid(String str, String str2, String str3, Collection<String> collection, String str4, String... strArr) throws Exception {
        return new RefreshToken(new RefreshTokenClaimsSet.Builder(buildDefaultClaimsSet(str, collection), Instant.now(), Instant.now().plus((TemporalAmount) Duration.ofHours(1L))).setRootTokenIdentifier(str3).setJWTID(str2).setSessionIdentifier(str4).build().serialize(getDataSealer())).getValue();
    }

    @Test
    public void testValidSecretJWT() throws Exception {
        OIDCTokenResponse parseSuccessResponse = parseSuccessResponse(launchWithJwtAuthentication(buildSecretJwtAuth(this.clientSecret), JWSAlgorithm.HS256), OIDCTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getAccessToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
    }

    @Test
    public void testValidSecretJWTNoAlg() throws Exception {
        OIDCTokenResponse parseSuccessResponse = parseSuccessResponse(launchWithJwtAuthentication(buildSecretJwtAuth(this.clientSecret), null), OIDCTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getAccessToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
    }

    @Test
    public void testValidGrantValidRequestMissingPlainPKCE() throws Exception {
        initializeGrantAndRequest(this.clientIdPkcePlain, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientIdPkcePlain, plainVerifier()), this.clientIdPkcePlain));
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_request");
        assertErrorDescriptionContains(launchExecution, "InvalidMessage");
    }

    @Test
    public void testValidGrantInvalidUnforcedPlainPKCE() throws Exception {
        initializeGrantAndRequest(this.clientIdPkcePlainUnforced, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientIdPkcePlainUnforced, plainVerifier()), this.clientIdPkcePlainUnforced, null, null, this.codeVerifier + "invalid"));
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_request");
        assertErrorDescriptionContains(launchExecution, "MessageAuthenticationError");
    }

    @Test
    public void testValidGrantInvalidPlainPKCE() throws Exception {
        initializeGrantAndRequest(this.clientIdPkcePlain, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientIdPkcePlain, plainVerifier()), this.clientIdPkcePlain, null, null, this.codeVerifier + "invalid"));
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_request");
        assertErrorDescriptionContains(launchExecution, "MessageAuthenticationError");
    }

    @Test
    public void testValidGrantValidPlainPKCE() throws Exception {
        initializeGrantAndRequest(this.clientIdPkcePlain, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientIdPkcePlain, plainVerifier()), this.clientIdPkcePlain, null, null, this.codeVerifier));
        Assert.assertNotNull(parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class).getTokens().getAccessToken());
    }

    @Test
    public void testValidGrantValidPlainPKCE_publicClient() throws Exception {
        initializeGrantAndRequest(this.clientIdPkcePlainPublic, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientIdPkcePlainPublic, plainVerifier()), this.clientIdPkcePlainPublic, null, null, this.codeVerifier), false, ClientAuthenticationMethod.NONE);
        storeConsent(this.storageService, "jdoe", this.clientIdPkcePlainPublic, "mail");
        OIDCTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getAccessToken());
        Assert.assertNotNull(parseSuccessResponse.getTokens().getRefreshToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
    }

    @Test
    public void testValidGrantValidUnforcedPlainPKCE() throws Exception {
        initializeGrantAndRequest(this.clientIdPkcePlainUnforced, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientIdPkcePlainUnforced, plainVerifier()), this.clientIdPkcePlainUnforced, null, null, this.codeVerifier));
        Assert.assertNotNull(parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class).getTokens().getAccessToken());
    }

    @Test
    public void testValidGrantValidUnforcedPlainPKCE_publicClient() throws Exception {
        initializeGrantAndRequest(this.clientIdPkcePlainUnforcedPublic, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientIdPkcePlainUnforcedPublic, plainVerifier()), this.clientIdPkcePlainUnforcedPublic, null, null, this.codeVerifier), false, ClientAuthenticationMethod.NONE);
        Assert.assertNotNull(parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class).getTokens().getAccessToken());
    }

    @Test
    public void testValidGrantValidRequestMissingS256PKCE() throws Exception {
        initializeGrantAndRequest(this.clientIdPkceS256, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientIdPkceS256, s256Verifier()), this.clientIdPkceS256));
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_request");
        assertErrorDescriptionContains(launchExecution, "InvalidMessage");
    }

    @Test
    public void testValidGrantInvalidUnforcedS256PKCE() throws Exception {
        initializeGrantAndRequest(this.clientIdPkcePlainUnforced, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientIdPkcePlainUnforced, s256Verifier()), this.clientIdPkcePlainUnforced, null, "S256", this.codeVerifier + "invalid"));
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_request");
        assertErrorDescriptionContains(launchExecution, "MessageAuthenticationError");
    }

    @Test
    public void testValidGrantInvalidS256PKCE() throws Exception {
        initializeGrantAndRequest(this.clientIdPkceS256, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientIdPkceS256, s256Verifier()), this.clientIdPkceS256, null, "S256", this.codeVerifier + "invalid"));
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_request");
        assertErrorDescriptionContains(launchExecution, "MessageAuthenticationError");
    }

    @Test
    public void testValidGrantValidS256PKCE() throws Exception {
        initializeGrantAndRequest(this.clientIdPkceS256, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientIdPkceS256, s256Verifier()), this.clientIdPkceS256, null, "S256", this.codeVerifier));
        Assert.assertNotNull(parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class).getTokens().getAccessToken());
    }

    @Test
    public void testValidGrantValidS256PKCE_publicClient() throws Exception {
        initializeGrantAndRequest(this.clientIdPkceS256Public, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientIdPkceS256Public, s256Verifier()), this.clientIdPkceS256Public, null, "S256", this.codeVerifier), false, ClientAuthenticationMethod.NONE);
        Assert.assertNotNull(parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class).getTokens().getAccessToken());
    }

    @Test
    public void testValidGrantValidUnforcedS256PKCE() throws Exception {
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientId, s256Verifier()), this.clientId, null, "S256", this.codeVerifier));
        Assert.assertNotNull(parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class).getTokens().getAccessToken());
    }

    @Test
    public void testInvalidSecretJWT() throws Exception {
        assertErrorCode(launchWithJwtAuthentication(buildSecretJwtAuth(this.clientSecret + "invalid"), JWSAlgorithm.HS256), "invalid_client");
    }

    @Test
    public void testValidGrantWrappedClaimsUI() throws Exception {
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("name", "John Doe");
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientId, null, null, null, jSONObject), this.clientId));
        AccessTokenClaimsSet unwrapAccessToken = unwrapAccessToken((OIDCTokenResponse) parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class));
        Assert.assertNotNull(unwrapAccessToken);
        ClaimsSet userinfoDeliveryClaims = unwrapAccessToken.getUserinfoDeliveryClaims();
        Assert.assertNotNull(userinfoDeliveryClaims);
        Assert.assertEquals(userinfoDeliveryClaims.getClaim("name"), "John Doe");
        Assert.assertNull(unwrapAccessToken.getDeliveryClaims().getClaim("name"));
        Assert.assertNull(unwrapAccessToken.getIDTokenDeliveryClaims());
    }

    @Test
    public void testValidGrantWrappedClaims() throws Exception {
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("name", "John Doe");
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "authorization_code", buildAuthorizationCode(this.clientId, null, jSONObject, null, null), this.clientId));
        AccessTokenClaimsSet unwrapAccessToken = unwrapAccessToken((OIDCTokenResponse) parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class));
        Assert.assertNotNull(unwrapAccessToken);
        ClaimsSet deliveryClaims = unwrapAccessToken.getDeliveryClaims();
        Assert.assertNotNull(deliveryClaims);
        Assert.assertEquals(deliveryClaims.getClaim("name"), "John Doe");
        Assert.assertNull(unwrapAccessToken.getUserinfoDeliveryClaims().getClaim("name"));
        Assert.assertNull(unwrapAccessToken.getIDTokenDeliveryClaims());
    }

    @Test
    public void testValidLegacyRefreshTokenGrant() throws Exception {
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "refresh_token", buildLegacyRefreshToken(this.clientId, new String[0]), this.clientId));
        OIDCTokenResponse oIDCTokenResponse = (OIDCTokenResponse) parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class);
        Assert.assertNotNull(oIDCTokenResponse.getTokens().getAccessToken());
        Assert.assertNotNull(oIDCTokenResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(oIDCTokenResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
        validateConsentFromAccessToken(oIDCTokenResponse, false);
    }

    @Test
    public void testValidLegacyConsentRefreshTokenGrant() throws Exception {
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "refresh_token", buildLegacyRefreshToken(this.clientId, "mail"), this.clientId));
        OIDCTokenResponse oIDCTokenResponse = (OIDCTokenResponse) parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class);
        Assert.assertNotNull(oIDCTokenResponse.getTokens().getAccessToken());
        Assert.assertNotNull(oIDCTokenResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(oIDCTokenResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
        validateConsentFromAccessToken(oIDCTokenResponse, true);
    }

    @Test
    public void testValidRefreshTokenGrant() throws Exception {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String generateIdentifier2 = this.idGenerator.generateIdentifier();
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "refresh_token", buildRefreshToken(this.clientId, generateIdentifier, generateIdentifier2, null, new String[0]), this.clientId));
        OIDCTokenResponse oIDCTokenResponse = (OIDCTokenResponse) parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class);
        AccessToken accessToken = oIDCTokenResponse.getTokens().getAccessToken();
        Assert.assertNotNull(accessToken);
        Assert.assertNotNull(oIDCTokenResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(oIDCTokenResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
        Assert.assertNull(getSidFromAccessToken(accessToken));
        Assert.assertNull(getSidFromJWT(oIDCTokenResponse.getOIDCTokens().getIDToken()));
        validateConsentFromAccessToken(oIDCTokenResponse, false);
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, generateIdentifier));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier2));
    }

    @Test
    public void testChainExpiredRefreshTokenGrant() throws Exception {
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "refresh_token", buildRefreshToken(this.clientId, this.idGenerator.generateIdentifier(), this.idGenerator.generateIdentifier(), null, Instant.now(), Instant.now(), new String[0]), this.clientId));
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_grant");
    }

    @Test
    public void testAuthTimeExpiredRefreshTokenGrant() throws Exception {
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "refresh_token", buildRefreshToken(this.clientId, this.idGenerator.generateIdentifier(), this.idGenerator.generateIdentifier(), null, Instant.now().minus((TemporalAmount) Duration.ofHours(2L)), Instant.now().plus((TemporalAmount) Duration.ofHours(5L)), new String[0]), this.clientId));
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_grant");
    }

    @Test
    public void testExpiredRefreshTokenGrant() throws Exception {
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "refresh_token", buildRefreshToken(this.clientId, this.idGenerator.generateIdentifier(), this.idGenerator.generateIdentifier(), (Collection<String>) null, Instant.now(), Instant.now().plus((TemporalAmount) Duration.ofHours(5L)), Instant.now(), new String[0]), this.clientId));
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_grant");
    }

    @Test
    public void testValidRefreshTokenGrant_idTokenIssuanceDisabled() throws Exception {
        String str = this.clientIdNoIdTokenViaRefreshToken;
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String generateIdentifier2 = this.idGenerator.generateIdentifier();
        initializeGrantAndRequest(str, createRequestParameters(this.redirectUri, "refresh_token", buildRefreshToken(str, generateIdentifier, generateIdentifier2, null, new String[0]), str));
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext);
        Assert.assertFalse(OIDCTokenResponse.class.isInstance(parseResponse(launchExecution)));
        Assert.assertNotNull(parseSuccessResponse(launchExecution, AccessTokenResponse.class).getTokens().getAccessToken());
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, generateIdentifier));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier2));
    }

    @Test
    public void testValidRefreshTokenGrantWithSid() throws Exception {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String generateIdentifier2 = this.idGenerator.generateIdentifier();
        String generateIdentifier3 = this.idGenerator.generateIdentifier();
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "refresh_token", buildRefreshTokenWithSid(this.clientId, generateIdentifier, generateIdentifier2, null, generateIdentifier3, new String[0]), this.clientId));
        OIDCTokenResponse oIDCTokenResponse = (OIDCTokenResponse) parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class);
        AccessToken accessToken = oIDCTokenResponse.getTokens().getAccessToken();
        Assert.assertNotNull(accessToken);
        Assert.assertNotNull(oIDCTokenResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(oIDCTokenResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
        Assert.assertEquals(getSidFromAccessToken(accessToken), generateIdentifier3);
        Assert.assertEquals(getSidFromJWT(oIDCTokenResponse.getOIDCTokens().getIDToken()), generateIdentifier3);
        validateConsentFromAccessToken(oIDCTokenResponse, false);
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, generateIdentifier));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier2));
    }

    @Test
    public void testValidRefreshTokenGrantWithResource() throws Exception {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String generateIdentifier2 = this.idGenerator.generateIdentifier();
        initializeGrantAndRequest(this.clientId, createRequestParameters(this.redirectUri, "refresh_token", buildRefreshToken(this.clientId, generateIdentifier, generateIdentifier2, List.of("https://rp.example.org"), new String[0]), this.clientId));
        OIDCTokenResponse oIDCTokenResponse = (OIDCTokenResponse) parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class);
        Assert.assertNotNull(oIDCTokenResponse.getTokens().getAccessToken());
        Assert.assertTrue(unwrapAccessToken(oIDCTokenResponse).getClaimsSet().getAudience().contains("https://rp.example.org"));
        Assert.assertNotNull(oIDCTokenResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(oIDCTokenResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
        validateConsentFromAccessToken(oIDCTokenResponse, false);
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, generateIdentifier));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier2));
    }

    @Test
    public void testValidRefreshTokenGrantRefreshTokenRotation() throws Exception {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String generateIdentifier2 = this.idGenerator.generateIdentifier();
        initializeGrantAndRequest(this.clientIdRefreshTokenRotation, createRequestParameters(this.redirectUri, "refresh_token", buildRefreshToken(this.clientIdRefreshTokenRotation, generateIdentifier, generateIdentifier2, null, new String[0]), this.clientIdRefreshTokenRotation));
        OIDCTokenResponse oIDCTokenResponse = (OIDCTokenResponse) parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), OIDCTokenResponse.class);
        Assert.assertNotNull(oIDCTokenResponse.getTokens().getAccessToken());
        Assert.assertNotNull(oIDCTokenResponse.getOIDCTokens().getIDToken());
        Assert.assertNotNull(oIDCTokenResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("at_hash"));
        validateConsentFromAccessToken(oIDCTokenResponse, false);
        Assert.assertTrue(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, generateIdentifier));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier2));
    }

    @Test
    public void testRevokedRefreshTokenGrantRefreshTokenRotation() throws Exception {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String generateIdentifier2 = this.idGenerator.generateIdentifier();
        Assert.assertTrue(this.revocationCache.revoke(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, generateIdentifier));
        initializeGrantAndRequest(this.clientIdRefreshTokenRotation, createRequestParameters(this.redirectUri, "refresh_token", buildRefreshToken(this.clientIdRefreshTokenRotation, generateIdentifier, generateIdentifier2, null, new String[0]), this.clientIdRefreshTokenRotation));
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_grant");
        Assert.assertTrue(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, generateIdentifier));
        Assert.assertTrue(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier2));
    }

    @Test
    public void testRevokedChainInRefreshTokenGrant() throws Exception {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String generateIdentifier2 = this.idGenerator.generateIdentifier();
        Assert.assertTrue(this.revocationCache.revoke(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier2));
        initializeGrantAndRequest(this.clientIdRefreshTokenRotation, createRequestParameters(this.redirectUri, "refresh_token", buildRefreshToken(this.clientIdRefreshTokenRotation, generateIdentifier, generateIdentifier2, null, new String[0]), this.clientIdRefreshTokenRotation));
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_grant");
        Assert.assertTrue(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier2));
    }

    @Test
    public void testRevokedChainViaJtiInRefreshTokenGrant() throws Exception {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        Assert.assertTrue(this.revocationCache.revoke(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier));
        initializeGrantAndRequest(this.clientIdRefreshTokenRotation, createRequestParameters(this.redirectUri, "refresh_token", buildRefreshToken(this.clientIdRefreshTokenRotation, generateIdentifier, null, null, new String[0]), this.clientIdRefreshTokenRotation));
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_grant");
        Assert.assertTrue(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier));
    }

    @Factory
    public Object[] createIdTokenSecurityTests() {
        return new Object[]{new IssuedSignedJWTTest(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.TOKEN_ID_TOKEN, "oidc/token"), new IssuedEncryptedJWTTest(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.TOKEN_ID_TOKEN, "oidc/token", true, false), new IssuedEncryptedJWTTest(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.TOKEN_ID_TOKEN, "oidc/token", true, true)};
    }

    @Factory
    public Object[] createAccessTokenSecurityTests() {
        return new Object[]{new IssuedSignedJWTTest(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.TOKEN_ACCESS_TOKEN, "oidc/token"), new IssuedEncryptedJWTTest(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.TOKEN_ACCESS_TOKEN, "oidc/token", true, false), new IssuedEncryptedJWTTest(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.TOKEN_ACCESS_TOKEN, "oidc/token", true, true)};
    }

    private AccessTokenClaimsSet unwrapAccessToken(OIDCTokenResponse oIDCTokenResponse) {
        AccessToken accessToken = oIDCTokenResponse.getTokens().getAccessToken();
        Assert.assertNotNull(accessToken);
        try {
            return AccessTokenClaimsSet.parse(accessToken.getValue(), getDataSealer());
        } catch (ParseException | DataSealerException e) {
            return null;
        }
    }

    private String plainVerifier() {
        return "plain" + CodeChallenge.compute(CodeChallengeMethod.PLAIN, new CodeVerifier(this.codeVerifier)).getValue();
    }

    private String s256Verifier() {
        return "S256" + CodeChallenge.compute(CodeChallengeMethod.S256, new CodeVerifier(this.codeVerifier)).getValue();
    }

    protected FlowExecutionResult launchWithJwtAuthentication(JWTAuthentication jWTAuthentication, JWSAlgorithm jWSAlgorithm) throws Exception {
        return launchWithJwtAuthentication(jWTAuthentication, jWSAlgorithm, (String) null);
    }

    protected static String buildAuthorizationCode(String str, String str2, String str3, String str4, String str5, String str6, Collection<String> collection) throws Exception {
        Instant now = Instant.now();
        AuthorizeCodeClaimsSet.Builder builder = new AuthorizeCodeClaimsSet.Builder();
        builder.setJWTID(new SecureRandomIdentifierGenerationStrategy()).setClientID(new ClientID(str)).setIssuer(str2).setPrincipal(str3).setSubject(str4).setIssuedAt(now).setExpiresAt(now.plusSeconds(100L)).setAuthenticationTime(now).setRedirectURI(new URI(str5)).setAudience(collection).setScope(str6 == null ? new Scope() : Scope.parse(str6));
        return new AuthorizationCode(builder.build().serialize(new ValidateGrantTest().getDataSealer())).getValue();
    }

    protected FlowExecutionResult launchWithJwtAuthentication(JWTAuthentication jWTAuthentication, JWSAlgorithm jWSAlgorithm, String str) throws Exception {
        String str2 = buildAuthorizationCode(this.clientId, "https://op.example.org", "jdoe", "mock", this.redirectUri, this.scope.toString(), null).toString();
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, JWSAlgorithm.HS256, ClientAuthenticationMethod.CLIENT_SECRET_JWT, new String[0]);
        Map<String, String> createRequestParameters = createRequestParameters(this.redirectUri, "authorization_code", str2, this.clientId);
        if (str != null) {
            createRequestParameters.put("scope", str);
        }
        populateClientAssertionParams(createRequestParameters, jWTAuthentication);
        setHttpFormRequest("POST", createRequestParameters);
        return this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext);
    }

    protected FlowExecutionResult launchWithJwtAuthentication(JWTAuthentication jWTAuthentication, JWSAlgorithm jWSAlgorithm, JWSAlgorithm jWSAlgorithm2, JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod) throws Exception {
        OIDCClientMetadata buildMetadataSkeleton = buildMetadataSkeleton();
        buildMetadataSkeleton.setScope(this.scope);
        buildMetadataSkeleton.setTokenEndpointAuthMethod(ClientAuthenticationMethod.CLIENT_SECRET_JWT);
        buildMetadataSkeleton.setTokenEndpointAuthJWSAlg(JWSAlgorithm.HS256);
        buildMetadataSkeleton.setIDTokenJWSAlg(jWSAlgorithm2);
        buildMetadataSkeleton.setIDTokenJWEAlg(jWEAlgorithm);
        buildMetadataSkeleton.setIDTokenJWEEnc(encryptionMethod);
        return launchWithJwtAuthentication(this.flowExecutor, jWTAuthentication, this.externalContext, this.request, this.redirectUri, this.scope.toString(), buildMetadataSkeleton, this.clientSecret, this.storageService);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static FlowExecutionResult launchWithJwtAuthentication(FlowExecutor flowExecutor, JWTAuthentication jWTAuthentication, ExternalContext externalContext, MockHttpServletRequest mockHttpServletRequest, String str, String str2, OIDCClientMetadata oIDCClientMetadata, String str3, StorageService storageService) throws Exception {
        String value = jWTAuthentication.getClientID().getValue();
        String str4 = buildAuthorizationCode(value, "https://op.example.org", "jdoe", "mock", str, str2.toString(), null).toString();
        storeMetadataObject(storageService, value, str3, oIDCClientMetadata);
        Map<String, String> createRequestParameters = createRequestParameters(str, "authorization_code", str4, value);
        populateClientAssertionParams(createRequestParameters, jWTAuthentication);
        setHttpFormRequest(mockHttpServletRequest, "POST", createRequestParameters);
        return flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, externalContext);
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcClientAuthenticationFlowTest
    protected FlowExecutionResult launchWithJwtAuthentication(JWT jwt, JWSAlgorithm jWSAlgorithm, ClientAuthenticationMethod clientAuthenticationMethod, PublicKey publicKey) throws Exception {
        String str = buildAuthorizationCode(this.clientId, "https://op.example.org", "jdoe", "mock", this.redirectUri, this.scope.toString(), null).toString();
        if (publicKey == null) {
            storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, jWSAlgorithm, clientAuthenticationMethod, new String[0]);
        } else {
            storeMetadata(this.storageService, this.clientId, (String) null, this.scope, jWSAlgorithm, clientAuthenticationMethod, (JWSAlgorithm) null, publicKey, new String[0]);
        }
        Map<String, String> createRequestParameters = createRequestParameters(this.redirectUri, "authorization_code", str, this.clientId);
        populateClientAssertionParams(createRequestParameters, jwt);
        setHttpFormRequest("POST", createRequestParameters);
        return this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext);
    }

    protected static Map<String, String> createRequestParameters(String str, String str2, String str3, String str4) {
        HashMap hashMap = new HashMap();
        addNonNullValue(hashMap, "redirect_uri", str);
        addNonNullValue(hashMap, "grant_type", str2);
        if ("refresh_token".equals(str2)) {
            addNonNullValue(hashMap, "refresh_token", str3);
        } else {
            addNonNullValue(hashMap, "code", str3);
        }
        addNonNullValue(hashMap, "client_id", str4);
        return hashMap;
    }

    protected static Map<String, String> createRequestParameters(String str, String str2, String str3, String str4, String str5, String str6, String str7) {
        Map<String, String> createRequestParameters = createRequestParameters(str, str2, str3, str4);
        addNonNullValue(createRequestParameters, "code_challenge", str5);
        addNonNullValue(createRequestParameters, "code_challenge_method", str6);
        addNonNullValue(createRequestParameters, "code_verifier", str7);
        return createRequestParameters;
    }

    private static void addNonNullValue(Map<String, String> map, String str, String str2) {
        if (str2 != null) {
            map.put(str, str2);
        }
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcClientAuthenticationFlowTest
    protected Pair<String, String> getErrorDetaisForJWTValidation() {
        return new Pair<>("invalid_client", "Client authentication failed");
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcClientAuthenticationFlowTest
    protected void assertSuccessResponse(FlowExecutionResult flowExecutionResult) {
        OIDCTokenResponse parseSuccessResponse = parseSuccessResponse(flowExecutionResult, OIDCTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getAccessToken());
        Assert.assertNotNull(parseSuccessResponse.getOIDCTokens().getIDToken());
    }

    protected String getSidFromAccessToken(AccessToken accessToken) {
        Assert.assertNotNull(accessToken.getValue());
        try {
            return AccessTokenClaimsSet.parse(accessToken.getValue(), getDataSealer()).getSessionIdentifier();
        } catch (ParseException | DataSealerException e) {
            return null;
        }
    }

    protected String getSidFromRefreshToken(RefreshToken refreshToken) {
        Assert.assertNotNull(refreshToken.getValue());
        try {
            return RefreshTokenClaimsSet.parse(refreshToken.getValue(), getDataSealer()).getSessionIdentifier();
        } catch (ParseException | DataSealerException e) {
            return null;
        }
    }

    protected String getSidFromJWT(JWT jwt) {
        Assert.assertNotNull(jwt);
        try {
            return jwt.getJWTClaimsSet().getStringClaim("sid");
        } catch (ParseException e) {
            return null;
        }
    }
}
