package net.shibboleth.idp.plugin.oidc.op.profile.flow;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.langtag.LangTag;
import com.nimbusds.oauth2.sdk.AuthorizationResponse;
import com.nimbusds.oauth2.sdk.AuthorizationSuccessResponse;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.claims.ClaimRequirement;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractIssuedJWTSecurityTest;
import net.shibboleth.idp.plugin.oidc.op.token.support.AccessTokenClaimsSet;
import net.shibboleth.idp.plugin.oidc.op.token.support.AuthorizeCodeClaimsSet;
import net.shibboleth.idp.session.SessionException;
import net.shibboleth.oidc.profile.core.OidcError;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import org.opensaml.storage.StorageService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.webflow.core.collection.MutableAttributeMap;
import org.springframework.webflow.executor.FlowExecutionResult;
import org.testng.Assert;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Factory;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/flow/AuthorizeFlowTest.class */
public class AuthorizeFlowTest extends AbstractOidcFlowTest {
    public static final String FLOW_ID = "oidc/authorize";
    String resource;
    String issuer;
    String redirectUri;
    String clientId;
    String clientIdIssInResponse;
    String clientIdCustomTokens;
    String clientSecret;
    Scope scope;

    @Autowired
    @Qualifier("shibboleth.StorageService")
    StorageService storageService;

    public AuthorizeFlowTest() {
        super(FLOW_ID);
        this.resource = "https://resource.example.org";
        this.issuer = "https://op.example.org";
        this.redirectUri = "https://example.org/cb";
        this.clientId = "mockClientId";
        this.clientIdIssInResponse = "mockClientIdIssInResponse";
        this.clientIdCustomTokens = "mockClientIdCustomTokens";
        this.clientSecret = "mockClientSecretmockClientSecretmockClientSecretmockClientSecretmockClientSecret";
        this.scope = Scope.parse("openid profile email");
    }

    @BeforeMethod
    public void setup() {
        setBasicAuth("jdoe", "changeit");
    }

    @Test
    public void testWithAuthorizationCodeFlow() throws IOException, SessionException {
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri)));
        this.request.setMethod("GET");
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNull(successResponse.getIDToken());
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNotNull(getSidFromAuthorizeCodeClaimsSet(successResponse));
        Assert.assertNull(successResponse.getIssuer());
    }

    @Test
    public void testWithAuthorizationCodeFlowRequestObjectEnforcedNoRO() throws IOException, SessionException {
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdRequestObjectEnforced"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri)));
        this.request.setMethod("GET");
        storeMetadata(this.storageService, "mockClientIdRequestObjectEnforced", this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        Assert.assertEquals("ErrorView", this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome().getId());
    }

    @Test
    public void testWithAuthorizationCodeFlowAndResource() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("resource", this.resource)));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNull(successResponse.getIDToken());
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNotNull(getSidFromAuthorizeCodeClaimsSet(successResponse));
        Assert.assertNull(successResponse.getIssuer());
    }

    @Test
    public void testWithAuthorizationCodeFlowIssInResponse() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdIssInResponse"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, this.clientIdIssInResponse, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNull(successResponse.getIDToken());
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNotNull(getSidFromAuthorizeCodeClaimsSet(successResponse));
        Assert.assertNotNull(successResponse.getIssuer());
        Assert.assertEquals(successResponse.getIssuer().getValue(), this.issuer);
    }

    @Test
    public void testWithAuthorizationCodeFlowNoOpenidMetadataContainsResource() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code"), new Pair("scope", "profile"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthorizationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthorizationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNull(successResponse.getIssuer());
    }

    @Test
    public void testWithAuthorizationCodeFlowNoOpenidMetadataNotContainingResource() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code"), new Pair("scope", "profile"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, false, this.redirectUri);
        initializeThreadLocals();
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_request");
        assertErrorDescriptionContains(launchExecution, "InvalidTarget");
        assertErrorResponseWithNoIssuer(launchExecution);
    }

    @Test
    public void testWithAuthorizationCodeFlowNoRedirectURI() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code"), new Pair("scope", "openid profile")));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        Assert.assertEquals("ErrorView", this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome().getId());
    }

    @Test
    public void testWithImplicitFlowNoNonce() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "id_token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        Assert.assertEquals("ErrorView", this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome().getId());
    }

    @Test
    public void testWithImplicitFlow() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "id_token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNotNull(successResponse.getIDToken());
        Assert.assertNotNull(getSidFromIDToken(successResponse));
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNull(successResponse.getAuthorizationCode());
        Assert.assertNull(successResponse.getIssuer());
    }

    @Test
    public void testWithImplicitFlowRequestObjectEnforcedNoRO() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdRequestObjectEnforced"), new Pair("response_type", "id_token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, "mockClientIdRequestObjectEnforced", this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        Assert.assertEquals("ErrorView", this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome().getId());
    }

    @Test
    public void testWithImplicitFlowIssInResponse() throws IOException, SessionException, ParseException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdIssInResponse"), new Pair("response_type", "id_token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, this.clientIdIssInResponse, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNotNull(successResponse.getIDToken());
        Assert.assertNull(successResponse.getIDToken().getJWTClaimsSet().getClaim("c_hash"));
        Assert.assertNull(successResponse.getIDToken().getJWTClaimsSet().getClaim("at_hash"));
        Assert.assertNotNull(getSidFromIDToken(successResponse));
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNull(successResponse.getAuthorizationCode());
        Assert.assertNotNull(successResponse.getIssuer());
        Assert.assertEquals(successResponse.getIssuer().getValue(), this.issuer);
    }

    @Test
    public void testWithImplicitFlowAndResource() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "id_token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("resource", this.resource), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNotNull(successResponse.getIDToken());
        Assert.assertNotNull(getSidFromIDToken(successResponse));
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNull(successResponse.getAuthorizationCode());
        Assert.assertNull(successResponse.getIssuer());
    }

    @Test
    public void testWithImplicitTokenFlow() throws IOException, SessionException, DataSealerException, ParseException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "id_token token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNotNull(successResponse.getIDToken());
        Assert.assertNull(successResponse.getIDToken().getJWTClaimsSet().getClaim("c_hash"));
        Assert.assertNotNull(successResponse.getIDToken().getJWTClaimsSet().getClaim("at_hash"));
        String sidFromIDToken = getSidFromIDToken(successResponse);
        Assert.assertNotNull(sidFromIDToken);
        Assert.assertNotNull(successResponse.getAccessToken());
        Assert.assertEquals(sidFromIDToken, getSidFromOpaqueAccessTokenClaimsSet(successResponse));
        Assert.assertNull(successResponse.getAuthorizationCode());
        AccessTokenClaimsSet parse = AccessTokenClaimsSet.parse(successResponse.getAccessToken().getValue(), getDataSealer());
        Assert.assertEquals(parse.getAudience(), Collections.singletonList(this.issuer));
        Assert.assertNull(parse.getClaimsSet().getStringClaim("eduPersonScopedAffiliation"));
        Assert.assertNull(successResponse.getIssuer());
    }

    @Test
    public void testWithImplicitTokenFlowRequestObjectEnforcedNoRO() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdRequestObjectEnforced"), new Pair("response_type", "id_token token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, "mockClientIdRequestObjectEnforced", this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        Assert.assertEquals("ErrorView", this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome().getId());
    }

    @Test
    public void testWithImplicitTokenFlowIssInResponse() throws IOException, SessionException, DataSealerException, ParseException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdIssInResponse"), new Pair("response_type", "id_token token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, this.clientIdIssInResponse, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNotNull(successResponse.getIDToken());
        String sidFromIDToken = getSidFromIDToken(successResponse);
        Assert.assertNotNull(sidFromIDToken);
        Assert.assertNotNull(successResponse.getAccessToken());
        Assert.assertEquals(sidFromIDToken, getSidFromOpaqueAccessTokenClaimsSet(successResponse));
        Assert.assertNull(successResponse.getAuthorizationCode());
        AccessTokenClaimsSet parse = AccessTokenClaimsSet.parse(successResponse.getAccessToken().getValue(), getDataSealer());
        Assert.assertEquals(parse.getAudience(), Collections.singletonList(this.issuer));
        Assert.assertNull(parse.getClaimsSet().getStringClaim("eduPersonScopedAffiliation"));
        Assert.assertNotNull(successResponse.getIssuer());
        Assert.assertEquals(successResponse.getIssuer().getValue(), this.issuer);
    }

    @Test
    public void testWithImplicitTokenFlowAndResource() throws IOException, SessionException, ParseException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "id_token token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("resource", this.resource), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNotNull(successResponse.getIDToken());
        String sidFromIDToken = getSidFromIDToken(successResponse);
        Assert.assertNotNull(sidFromIDToken);
        Assert.assertNotNull(successResponse.getAccessToken());
        Assert.assertEquals(sidFromIDToken, getSidFromJWTAccessTokenClaimsSet(successResponse));
        Assert.assertNull(successResponse.getAuthorizationCode());
        Assert.assertNull(successResponse.getIssuer());
        JWTClaimsSet jWTClaimsSet = SignedJWT.parse(successResponse.getAccessToken().getValue()).getJWTClaimsSet();
        Assert.assertEquals(jWTClaimsSet.getAudience(), List.of(this.resource, this.issuer));
        Assert.assertNotNull(jWTClaimsSet.getStringClaim("eduPersonScopedAffiliation"));
    }

    @Test
    public void testWithImplicitTokenFlowNoNonce() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "id_token token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        Assert.assertEquals("ErrorView", this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome().getId());
    }

    @Test
    public void testWithImplicitOidcFlowNoOpenIdScopeRequested() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "id_token token"), new Pair("scope", "profile"), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "unsupported_response_type");
        assertErrorDescriptionContains(launchExecution, "Unsupported response");
        assertErrorResponseWithNoIssuer(launchExecution);
    }

    @Test
    public void testWithImplicitOidcFlowNoOpenIdScopeRegistered() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "id_token token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, Scope.parse("profile"), this.redirectUri);
        initializeThreadLocals();
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_scope");
        assertErrorResponseWithNoIssuer(launchExecution);
    }

    @Test
    public void testWithImplicitFlowNoRedirectURI() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "id_token token"), new Pair("scope", "openid profile")));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        Assert.assertEquals("ErrorView", this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome().getId());
    }

    @Test
    public void testWithHybridIdTokenFlow() throws IOException, SessionException, ParseException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code id_token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNotNull(successResponse.getIDToken());
        Assert.assertNotNull(successResponse.getIDToken().getJWTClaimsSet().getClaim("c_hash"));
        Assert.assertNull(successResponse.getIDToken().getJWTClaimsSet().getClaim("at_hash"));
        String sidFromIDToken = getSidFromIDToken(successResponse);
        Assert.assertNotNull(sidFromIDToken);
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertEquals(sidFromIDToken, getSidFromAuthorizeCodeClaimsSet(successResponse));
        Assert.assertNull(successResponse.getIssuer());
    }

    @Test
    public void testWithHybridIdTokenFlowRequestObjectEnforcedNoRO() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdRequestObjectEnforced"), new Pair("response_type", "code id_token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, "mockClientIdRequestObjectEnforced", this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        Assert.assertEquals("ErrorView", this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome().getId());
    }

    @Test
    public void testWithHybridIdTokenFlowIssInResponse() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdIssInResponse"), new Pair("response_type", "code id_token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, this.clientIdIssInResponse, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNotNull(successResponse.getIDToken());
        String sidFromIDToken = getSidFromIDToken(successResponse);
        Assert.assertNotNull(sidFromIDToken);
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertEquals(sidFromIDToken, getSidFromAuthorizeCodeClaimsSet(successResponse));
        Assert.assertNotNull(successResponse.getIssuer());
        Assert.assertEquals(successResponse.getIssuer().getValue(), this.issuer);
    }

    @Test
    public void testWithHybridIdTokenFlowAndResource() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code id_token"), new Pair("scope", "openid profile"), new Pair("resource", this.resource), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        String sidFromIDToken = getSidFromIDToken(successResponse);
        Assert.assertNotNull(sidFromIDToken);
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertEquals(sidFromIDToken, getSidFromAuthorizeCodeClaimsSet(successResponse));
        Assert.assertNull(successResponse.getIssuer());
    }

    @Test
    public void testWithHybridIdTokenFlowNoNonce() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code id_token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        Assert.assertEquals("ErrorView", this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome().getId());
    }

    @Test
    public void testWithHybridTokenFlow() throws IOException, SessionException, ParseException, DataSealerException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNull(successResponse.getIDToken());
        Assert.assertNotNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertEquals(getSidFromOpaqueAccessTokenClaimsSet(successResponse), getSidFromAuthorizeCodeClaimsSet(successResponse));
        AccessTokenClaimsSet parse = AccessTokenClaimsSet.parse(successResponse.getAccessToken().getValue(), getDataSealer());
        Assert.assertEquals(parse.getAudience(), Collections.singletonList(this.issuer));
        Assert.assertNull(parse.getClaimsSet().getStringClaim("eduPersonScopedAffiliation"));
        Assert.assertNull(successResponse.getIssuer());
    }

    @Test
    public void testWithHybridTokenFlowRequestObjectEnforcedNoRO() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdRequestObjectEnforced"), new Pair("response_type", "code token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, "mockClientIdRequestObjectEnforced", this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        Assert.assertEquals("ErrorView", this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome().getId());
    }

    @Test
    public void testWithHybridTokenFlowNoOpenidScopeRequested() throws IOException, SessionException, ParseException, DataSealerException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code token"), new Pair("scope", "profile"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "unsupported_response_type");
        assertErrorDescriptionContains(launchExecution, "Unsupported response");
        assertErrorResponseWithNoIssuer(launchExecution);
    }

    @Test
    public void testWithHybridTokenFlowNoOpenidScopeRegistered() throws IOException, SessionException, ParseException, DataSealerException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, Scope.parse("profile"), this.redirectUri);
        initializeThreadLocals();
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_scope");
        assertErrorResponseWithNoIssuer(launchExecution);
    }

    @Test
    public void testWithHybridTokenFlowAndResource() throws IOException, SessionException, ParseException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code token"), new Pair("scope", "openid profile"), new Pair("resource", this.resource), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNull(successResponse.getIDToken());
        Assert.assertNotNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNull(successResponse.getIssuer());
        Assert.assertEquals(getSidFromJWTAccessTokenClaimsSet(successResponse), getSidFromAuthorizeCodeClaimsSet(successResponse));
        JWTClaimsSet jWTClaimsSet = SignedJWT.parse(successResponse.getAccessToken().getValue()).getJWTClaimsSet();
        Assert.assertEquals(jWTClaimsSet.getAudience(), List.of(this.resource, this.issuer));
        Assert.assertNotNull(jWTClaimsSet.getStringClaim("eduPersonScopedAffiliation"));
    }

    @Test
    public void testWithHybridIdTokenTokenFlow() throws IOException, SessionException, ParseException, DataSealerException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code id_token token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNotNull(successResponse.getIDToken());
        Assert.assertNotNull(successResponse.getIDToken().getJWTClaimsSet().getClaim("c_hash"));
        Assert.assertNotNull(successResponse.getIDToken().getJWTClaimsSet().getClaim("at_hash"));
        Assert.assertNotNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNull(successResponse.getIssuer());
        Assert.assertEquals(getSidFromOpaqueAccessTokenClaimsSet(successResponse), getSidFromAuthorizeCodeClaimsSet(successResponse));
        AccessTokenClaimsSet parse = AccessTokenClaimsSet.parse(successResponse.getAccessToken().getValue(), getDataSealer());
        Assert.assertEquals(parse.getAudience(), Collections.singletonList(this.issuer));
        Assert.assertNull(parse.getClaimsSet().getStringClaim("eduPersonScopedAffiliation"));
    }

    @Test
    public void testWithHybridIdTokenTokenFlowRequestObjectEnforcedNoRO() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdRequestObjectEnforced"), new Pair("response_type", "code id_token token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, "mockClientIdRequestObjectEnforced", this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        Assert.assertEquals("ErrorView", this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome().getId());
    }

    @Test
    public void testWithHybridIdTokenTokenFlowNoOpenidScopeRequested() throws IOException, SessionException, ParseException, DataSealerException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code id_token token"), new Pair("scope", "profile"), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "unsupported_response_type");
        assertErrorDescriptionContains(launchExecution, "Unsupported response");
        assertErrorResponseWithNoIssuer(launchExecution);
    }

    @Test
    public void testWithHybridIdTokenTokenFlowNoOpenidScopeRegistered() throws IOException, SessionException, ParseException, DataSealerException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code id_token token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, Scope.parse("profile"), this.redirectUri);
        initializeThreadLocals();
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_scope");
        assertErrorResponseWithNoIssuer(launchExecution);
    }

    @Test
    public void testWithHybridIdTokenTokenFlowWithCustomTokenClaim() throws IOException, SessionException, ParseException, DataSealerException, com.nimbusds.oauth2.sdk.ParseException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdCustomTokens"), new Pair("response_type", "code id_token token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, this.clientIdCustomTokens, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNotNull(successResponse.getIDToken());
        Assert.assertNotNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNull(successResponse.getIssuer());
        String sidFromOpaqueAccessTokenClaimsSet = getSidFromOpaqueAccessTokenClaimsSet(successResponse);
        String sidFromAuthorizeCodeClaimsSet = getSidFromAuthorizeCodeClaimsSet(successResponse);
        String sidFromIDToken = getSidFromIDToken(successResponse);
        Assert.assertEquals(sidFromOpaqueAccessTokenClaimsSet, sidFromAuthorizeCodeClaimsSet);
        Assert.assertEquals(sidFromAuthorizeCodeClaimsSet, sidFromIDToken);
        IDTokenClaimsSet iDTokenClaimsSet = new IDTokenClaimsSet(successResponse.getIDToken().getJWTClaimsSet());
        Assert.assertNotNull(iDTokenClaimsSet);
        Assert.assertNotNull(iDTokenClaimsSet.getStringClaim("custom_id_token_claim"));
        Assert.assertEquals(iDTokenClaimsSet.getStringClaim("custom_id_token_claim"), "value1");
        AccessTokenClaimsSet parse = AccessTokenClaimsSet.parse(successResponse.getAccessToken().getValue(), getDataSealer());
        Assert.assertEquals(parse.getAudience(), Collections.singletonList(this.issuer));
        Assert.assertNull(parse.getClaimsSet().getStringClaim("eduPersonScopedAffiliation"));
        String stringClaim = parse.getClaimsSet().getStringClaim("custom_access_token_claim");
        Assert.assertNotNull(stringClaim);
        Assert.assertEquals(stringClaim, "value2");
    }

    @Test
    public void testWithHybridIdTokenTokenFlowAndResource() throws IOException, SessionException, ParseException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code id_token token"), new Pair("scope", "openid profile"), new Pair("resource", this.resource), new Pair("redirect_uri", this.redirectUri), new Pair("nonce", "idhas3h23hi13h1o2i32")));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNotNull(successResponse.getIDToken());
        Assert.assertNotNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNull(successResponse.getIssuer());
        String sidFromJWTAccessTokenClaimsSet = getSidFromJWTAccessTokenClaimsSet(successResponse);
        String sidFromAuthorizeCodeClaimsSet = getSidFromAuthorizeCodeClaimsSet(successResponse);
        String sidFromIDToken = getSidFromIDToken(successResponse);
        Assert.assertEquals(sidFromJWTAccessTokenClaimsSet, sidFromAuthorizeCodeClaimsSet);
        Assert.assertEquals(sidFromAuthorizeCodeClaimsSet, sidFromIDToken);
        JWTClaimsSet jWTClaimsSet = SignedJWT.parse(successResponse.getAccessToken().getValue()).getJWTClaimsSet();
        Assert.assertEquals(jWTClaimsSet.getAudience(), List.of(this.resource, this.issuer));
        Assert.assertNotNull(jWTClaimsSet.getStringClaim("eduPersonScopedAffiliation"));
    }

    @Test
    public void testWithHybridIdTokenTokenFlowNoNonce() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code id_token token"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        Assert.assertEquals("ErrorView", this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome().getId());
    }

    @Test
    public void testWithAuthorizationCodeFlowUnforcedPKCE() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdPKCEPlainUnforced"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, "mockClientIdPKCEPlainUnforced", this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNull(successResponse.getIDToken());
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNotNull(getSidFromAuthorizeCodeClaimsSet(successResponse));
    }

    @Test
    public void testWithAuthorizationCodeFlowForcedPlainPKCEMissingChallenge() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdPKCEPlain"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, "mockClientIdPKCEPlain", this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_request");
        assertErrorDescriptionContains(launchExecution, OidcError.MISSING_PKCE_CODE_CHALLENGE.getDescription());
    }

    @Test
    public void testWithAuthorizationCodeFlowForcedPlainPKCEUnknownChallenge() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdPKCEPlain"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("code_challenge", "osdfojsfod"), new Pair("code_challenge_method", "unsupported")));
        storeMetadata(this.storageService, "mockClientIdPKCEPlain", this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_request");
        assertErrorDescriptionContains(launchExecution, OidcError.INVALID_PKCE_TRANSFORMATION_METHOD.getDescription());
    }

    @Test
    public void testWithAuthorizationCodeFlowForcedPlainPKCEValidChallenge() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdPKCEPlain"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("code_challenge", "osdfojsfod"), new Pair("code_challenge_method", "plain")));
        storeMetadata(this.storageService, "mockClientIdPKCEPlain", this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNull(successResponse.getIDToken());
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNotNull(getSidFromAuthorizeCodeClaimsSet(successResponse));
    }

    @Test
    public void testWithAuthorizationCodeFlowForcedS256PKCEPlainChallenge() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdPKCES256"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("code_challenge", "osdfojsfod"), new Pair("code_challenge_method", "plain")));
        storeMetadata(this.storageService, "mockClientIdPKCES256", this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_request");
        assertErrorDescriptionContains(launchExecution, OidcError.INVALID_PKCE_TRANSFORMATION_METHOD.getDescription());
    }

    @Test
    public void testWithAuthorizationCodeFlowForcedS256PKCEUnknownChallenge() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdPKCES256"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("code_challenge", "osdfojsfod"), new Pair("code_challenge_method", "unknown")));
        storeMetadata(this.storageService, "mockClientIdPKCES256", this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_request");
        assertErrorDescriptionContains(launchExecution, OidcError.INVALID_PKCE_TRANSFORMATION_METHOD.getDescription());
    }

    @Test
    public void testWithAuthorizationCodeFlowForcedS256PKCEValidChallenge() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdPKCES256"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("code_challenge", "osdfojsfod"), new Pair("code_challenge_method", "S256")));
        storeMetadata(this.storageService, "mockClientIdPKCES256", this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNull(successResponse.getIDToken());
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNotNull(getSidFromAuthorizeCodeClaimsSet(successResponse));
    }

    @Test
    public void testWithAuthorizationCodeFlowNoScopesRegistered() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, null, this.redirectUri);
        initializeThreadLocals();
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_scope");
        assertErrorResponseWithNoIssuer(launchExecution);
    }

    @Test
    public void testWithAuthorizationCodeFlowNoScopesRegisteredIssInResponse() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdIssInResponse"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, this.clientIdIssInResponse, this.clientSecret, null, this.redirectUri);
        initializeThreadLocals();
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_scope");
        assertErrorResponseWithIssuer(launchExecution);
    }

    @Test
    public void testWithAuthorizationCodeFlowWithIDTokenClaims() throws IOException, SessionException, DataSealerException, ParseException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("claims", "{\"id_token\":{\"email\":{\"essential\":true}}}"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNull(successResponse.getIDToken());
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNotNull(getSidFromAuthorizeCodeClaimsSet(successResponse));
        Assert.assertNull(successResponse.getIssuer());
        AuthorizeCodeClaimsSet parse = AuthorizeCodeClaimsSet.parse(successResponse.getAuthorizationCode().getValue(), getDataSealer());
        Assert.assertNotNull(parse.getClaimsRequest());
        Assert.assertNotNull(parse.getClaimsRequest().getIDTokenClaimsRequest());
        Assert.assertNull(parse.getClaimsRequest().getUserInfoClaimsRequest());
        Assert.assertTrue(parse.getClaimsRequest().getIDTokenClaimsRequest().getClaimNames(false).contains("email"));
        ClaimsSetRequest.Entry entry = parse.getClaimsRequest().getIDTokenClaimsRequest().get("email", (LangTag) null);
        Assert.assertEquals(entry.getClaimName(), "email");
        Assert.assertEquals(entry.getClaimRequirement(), ClaimRequirement.ESSENTIAL);
    }

    @Test
    public void testWithAuthorizationCodeFlowWithUIClaims() throws IOException, SessionException, DataSealerException, ParseException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("claims", "{\"userinfo\":{\"email\":{\"essential\":true}}}"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNull(successResponse.getIDToken());
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNotNull(getSidFromAuthorizeCodeClaimsSet(successResponse));
        Assert.assertNull(successResponse.getIssuer());
        AuthorizeCodeClaimsSet parse = AuthorizeCodeClaimsSet.parse(successResponse.getAuthorizationCode().getValue(), getDataSealer());
        Assert.assertNotNull(parse.getClaimsRequest());
        Assert.assertNull(parse.getClaimsRequest().getIDTokenClaimsRequest());
        Assert.assertNotNull(parse.getClaimsRequest().getUserInfoClaimsRequest());
        Assert.assertTrue(parse.getClaimsRequest().getUserInfoClaimsRequest().getClaimNames(false).contains("email"));
        ClaimsSetRequest.Entry entry = parse.getClaimsRequest().getUserInfoClaimsRequest().get("email", (LangTag) null);
        Assert.assertEquals(entry.getClaimName(), "email");
        Assert.assertEquals(entry.getClaimRequirement(), ClaimRequirement.ESSENTIAL);
    }

    @Test
    public void testWithAuthorizationCodeFlowWithCustomClaimInCode() throws IOException, SessionException, DataSealerException, ParseException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdCustomTokens"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("claims", "{\"userinfo\":{\"email\":{\"essential\":true}}}"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, this.clientIdCustomTokens, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNull(successResponse.getIDToken());
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNotNull(getSidFromAuthorizeCodeClaimsSet(successResponse));
        Assert.assertNull(successResponse.getIssuer());
        Object claim = AuthorizeCodeClaimsSet.parse(successResponse.getAuthorizationCode().getValue(), getDataSealer()).getClaimsSet().getClaim("custom_code_claim");
        Assert.assertNotNull(claim);
        Assert.assertEquals(claim, "value1");
    }

    @Test
    public void testWithAuthorizationCodeFlowUsingSAMLMetadata() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockSamlClientId"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri)));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNull(successResponse.getIDToken());
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNotNull(getSidFromAuthorizeCodeClaimsSet(successResponse));
        Assert.assertNull(successResponse.getIssuer());
    }

    @Test
    public void testWithAuthorizationCodeFlowUsingUntrustedRP() throws IOException, SessionException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "notTrusted"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri)));
        initializeThreadLocals();
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertFlowExecutionResult(launchExecution, FLOW_ID);
        Assert.assertEquals(launchExecution.getOutcome().getId(), "ErrorView");
    }

    @Test
    public void testWithPlainReqObjectExpired() throws IOException, SessionException {
        assertRequestObjectError(new PlainJWT(new JWTClaimsSet.Builder().expirationTime(Date.from(Instant.now().minus((TemporalAmount) Duration.ofMinutes(5L)))).build()));
    }

    @Test
    public void testWithPlainReqObjectNbfInFuture() throws IOException, SessionException {
        assertRequestObjectError(new PlainJWT(new JWTClaimsSet.Builder().notBeforeTime(Date.from(Instant.now().plus((TemporalAmount) Duration.ofMinutes(5L)))).build()));
    }

    @Test
    public void testWithPlainReqObjectOverwriteRedirectUri() throws IOException, SessionException {
        PlainJWT plainJWT = new PlainJWT(new JWTClaimsSet.Builder().claim("redirect_uri", this.redirectUri).build());
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", "https://invalid.org/cb"), new Pair("request", plainJWT.serialize())));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNull(successResponse.getIDToken());
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNotNull(getSidFromAuthorizeCodeClaimsSet(successResponse));
        Assert.assertNull(successResponse.getIssuer());
    }

    @Test
    public void testWithPlainReqObjectOverwriteRedirectUriROEnforced() throws IOException, SessionException {
        PlainJWT plainJWT = new PlainJWT(new JWTClaimsSet.Builder().claim("redirect_uri", this.redirectUri).build());
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientIdRequestObjectEnforced"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", "https://invalid.org/cb"), new Pair("request", plainJWT.serialize())));
        storeMetadata(this.storageService, "mockClientIdRequestObjectEnforced", this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNull(successResponse.getIDToken());
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNotNull(getSidFromAuthorizeCodeClaimsSet(successResponse));
        Assert.assertNull(successResponse.getIssuer());
    }

    @Test
    public void testWithPlainReqObjectClaimsRequest() throws IOException, SessionException, DataSealerException, ParseException {
        assertSuccessRequestObjectWithClaimsRequestResponse(new PlainJWT(JWTClaimsSet.parse(getRequestObjectWithClaimsRequestPayload(this.clientId, this.redirectUri))));
    }

    @Test
    public void testWithHS256SignedReqObjectNoIssuer() throws IOException, SessionException, JOSEException {
        assertRequestObjectError(createSecretJWT(new JWTClaimsSet.Builder().audience(this.issuer).build(), this.clientSecret));
    }

    @Test
    public void testWithHS256SignedReqObjectNoAudience() throws IOException, SessionException, JOSEException {
        assertRequestObjectError(createSecretJWT(new JWTClaimsSet.Builder().issuer(this.clientId).build(), this.clientSecret));
    }

    @Test
    public void testWithHS256SignedReqObjectWrongIssuer() throws IOException, SessionException, JOSEException {
        assertRequestObjectError(createSecretJWT(new JWTClaimsSet.Builder().audience(this.issuer).issuer("invalid").build(), this.clientSecret));
    }

    @Test
    public void testWithHS256SignedReqObjectWrongAudience() throws IOException, SessionException, JOSEException {
        assertRequestObjectError(createSecretJWT(new JWTClaimsSet.Builder().audience("https://invalid.org").issuer(this.clientId).build(), this.clientSecret));
    }

    @Test
    public void testWithHS256SignedReqObjectWrongSecret() throws IOException, SessionException, JOSEException {
        assertRequestObjectError(createSecretJWT(new JWTClaimsSet.Builder().audience(this.issuer).issuer(this.clientId).build(), this.clientSecret + "wrong"));
    }

    @Test
    public void testWithRS256SignedReqObjectWrongKey() throws IOException, SessionException, JOSEException, NoSuchAlgorithmException {
        assertRequestObjectError(createPrivateKeyJWT(new JWTClaimsSet.Builder().audience(this.issuer).issuer(this.clientId).build(), this.rsaPrivateKey, JWSAlgorithm.RS256), null, (RSAPublicKey) generateNewKeyPair().getPublic());
    }

    @Test
    public void testWithRS256SignedReqObjectNoTrustedKey() throws IOException, SessionException, JOSEException, NoSuchAlgorithmException {
        assertRequestObjectError(createPrivateKeyJWT(new JWTClaimsSet.Builder().audience(this.issuer).issuer(this.clientId).build(), this.rsaPrivateKey, JWSAlgorithm.RS256));
    }

    @Test
    public void testWithES256SignedReqObjectWrongKey() throws IOException, SessionException, JOSEException, NoSuchAlgorithmException {
        assertRequestObjectError(createPrivateKeyJWT(new JWTClaimsSet.Builder().audience(this.issuer).issuer(this.clientId).build(), this.ecKey.toECPrivateKey(), JWSAlgorithm.ES256), null, initializeECKey(Curve.P_256, "321").toECPublicKey());
    }

    @Test
    public void testWithES256SignedReqObjectNoTrustedKey() throws IOException, SessionException, JOSEException, NoSuchAlgorithmException {
        assertRequestObjectError(createPrivateKeyJWT(new JWTClaimsSet.Builder().audience(this.issuer).issuer(this.clientId).build(), this.ecKey.toECPrivateKey(), JWSAlgorithm.ES256));
    }

    @Test
    public void testWithHS256SignedReqObjectOverwriteRedirectUri() throws IOException, ParseException, SessionException, JOSEException {
        SignedJWT createSecretJWT = createSecretJWT(new JWTClaimsSet.Builder().audience(this.issuer).issuer(this.clientId).claim("redirect_uri", this.redirectUri).build(), this.clientSecret);
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", "https://invalid.org/cb"), new Pair("request", createSecretJWT.serialize())));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNull(successResponse.getIDToken());
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNotNull(getSidFromAuthorizeCodeClaimsSet(successResponse));
        Assert.assertNull(successResponse.getIssuer());
    }

    @Factory
    public Object[] createIdTokenSecurityTests() {
        return new Object[]{new IssuedSignedJWTTest(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.AUTHORIZE_ID_TOKEN, FLOW_ID), new IssuedEncryptedJWTTest(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.AUTHORIZE_ID_TOKEN, FLOW_ID, true, false), new IssuedEncryptedJWTTest(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.AUTHORIZE_ID_TOKEN, FLOW_ID, true, true)};
    }

    @Factory
    public Object[] createAccessTokenSecurityTests() {
        return new Object[]{new IssuedSignedJWTTest(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.AUTHORIZE_ACCESS_TOKEN, FLOW_ID), new IssuedEncryptedJWTTest(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.AUTHORIZE_ACCESS_TOKEN, FLOW_ID, true, false), new IssuedEncryptedJWTTest(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.AUTHORIZE_ACCESS_TOKEN, FLOW_ID, true, true)};
    }

    @Factory
    public Object[] createRequestObjectSecurityTests() {
        return new Object[]{new RequestObjectJWSTest(true), new RequestObjectJWSTest(false), new RequestObjectJWETest(false, false), new RequestObjectJWETest(false, true), new RequestObjectJWETest(true, false), new RequestObjectJWETest(true, true)};
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String getRequestObjectWithClaimsRequestPayload(String str, String str2) {
        return "{\n  \"iss\": \"" + str + "\",\n  \"response_type\": \"code\",\n  \"code_challenge_method\": \"S256\",\n  \"nonce\": \"k5r-Uwjw0KKr18XiKD2VbiLtD2adwt85_HiSvzBi8FI\",\n  \"client_id\": \"" + str + "\",\n  \"aud\": \"https://op.example.org\",\n  \"scope\": \"openid profile offline_access\",\n  \"claims\": {\n    \"id_token\": {\n      \"given_name\": {\n        \"essential\": true\n      }\n    },\n    \"userinfo\": {\n      \"family_name\": {\n        \"essential\": true\n      }\n    }\n  },\n  \"redirect_uri\": \"" + str2 + "\",\n  \"state\": \"81c33d57-59c7-4b41-9a15-80e2ed1482e21646857349537\",\n  \"code_challenge\": \"MiAR-UxCj6oVyPatcUnrb3MGEZbwLKBmIRSoOKLLTl0\"\n}";
    }

    protected void assertSuccessRequestObjectWithClaimsRequestResponse(JWT jwt) throws ParseException, DataSealerException, IOException {
        assertSuccessRequestObjectWithClaimsRequestResponse(jwt, null);
    }

    protected void assertSuccessRequestObjectWithClaimsRequestResponse(JWT jwt, JWSAlgorithm jWSAlgorithm) throws ParseException, DataSealerException, IOException {
        assertSuccessRequestObjectWithClaimsRequestResponse(jwt, jWSAlgorithm, null);
    }

    protected void assertSuccessRequestObjectWithClaimsRequestResponse(JWT jwt, JWSAlgorithm jWSAlgorithm, PublicKey publicKey) throws ParseException, DataSealerException, IOException {
        assertSuccessRequestObjectWithClaimsRequestResponse(jwt, jWSAlgorithm, publicKey, (JWEAlgorithm) null, (EncryptionMethod) null);
    }

    protected void assertSuccessRequestObjectWithClaimsRequestResponse(JWT jwt, JWSAlgorithm jWSAlgorithm, PublicKey publicKey, JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod) throws ParseException, DataSealerException, IOException {
        assertSuccessRequestObjectWithClaimsRequestResponse(jwt.serialize(), jWSAlgorithm, publicKey, jWEAlgorithm, encryptionMethod);
    }

    protected void assertSuccessRequestObjectWithClaimsRequestResponse(String str, JWSAlgorithm jWSAlgorithm, PublicKey publicKey, JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod) throws ParseException, DataSealerException, IOException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("request", str)));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, jWSAlgorithm, publicKey, jWEAlgorithm, encryptionMethod, this.redirectUri);
        initializeThreadLocals();
        AuthenticationSuccessResponse successResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), AuthenticationResponse.class).toSuccessResponse();
        Assert.assertEquals(successResponse.getRedirectionURI().toString(), this.redirectUri);
        Assert.assertNull(successResponse.getIDToken());
        Assert.assertNull(successResponse.getAccessToken());
        Assert.assertNotNull(successResponse.getAuthorizationCode());
        Assert.assertNotNull(getSidFromAuthorizeCodeClaimsSet(successResponse));
        Assert.assertNull(successResponse.getIssuer());
        AuthorizeCodeClaimsSet parse = AuthorizeCodeClaimsSet.parse(successResponse.getAuthorizationCode().getValue(), getDataSealer());
        Assert.assertNotNull(parse.getClaimsRequest());
        Assert.assertNotNull(parse.getClaimsRequest().getIDTokenClaimsRequest());
        Assert.assertNotNull(parse.getClaimsRequest().getUserInfoClaimsRequest());
        Assert.assertTrue(parse.getClaimsRequest().getUserInfoClaimsRequest().getClaimNames(false).contains("family_name"));
        Assert.assertTrue(parse.getClaimsRequest().getIDTokenClaimsRequest().getClaimNames(false).contains("given_name"));
        ClaimsSetRequest.Entry entry = parse.getClaimsRequest().getUserInfoClaimsRequest().get("family_name", (LangTag) null);
        Assert.assertEquals(entry.getClaimName(), "family_name");
        Assert.assertEquals(entry.getClaimRequirement(), ClaimRequirement.ESSENTIAL);
        ClaimsSetRequest.Entry entry2 = parse.getClaimsRequest().getIDTokenClaimsRequest().get("given_name", (LangTag) null);
        Assert.assertEquals(entry2.getClaimName(), "given_name");
        Assert.assertEquals(entry2.getClaimRequirement(), ClaimRequirement.ESSENTIAL);
    }

    protected void assertRequestObjectError(JWT jwt) throws IOException {
        assertRequestObjectError(jwt, null);
    }

    protected void assertRequestObjectError(JWT jwt, JWSAlgorithm jWSAlgorithm) throws IOException {
        assertRequestObjectError(jwt, jWSAlgorithm, null);
    }

    protected void assertRequestObjectError(JWT jwt, JWSAlgorithm jWSAlgorithm, PublicKey publicKey) throws IOException {
        assertRequestObjectError(jwt.serialize(), jWSAlgorithm, publicKey, null, null);
    }

    protected void assertRequestObjectError(String str, JWSAlgorithm jWSAlgorithm, PublicKey publicKey, JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod) throws IOException {
        this.request.setMethod("GET");
        setRequestParameters(List.of(new Pair("client_id", "mockClientId"), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", this.redirectUri), new Pair("request", str)));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, jWSAlgorithm, publicKey, this.redirectUri);
        initializeThreadLocals();
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertFlowExecutionResult(launchExecution, FLOW_ID);
        Assert.assertEquals(launchExecution.getOutcome().getId(), "ErrorView");
    }

    protected void assertErrorResponseWithNoIssuer(FlowExecutionResult flowExecutionResult) {
        AuthenticationErrorResponse parseResponse = parseResponse(flowExecutionResult);
        Assert.assertFalse(parseResponse.indicatesSuccess());
        Assert.assertTrue(parseResponse instanceof AuthenticationErrorResponse);
        Assert.assertNull(parseResponse.getIssuer());
    }

    protected void assertErrorResponseWithIssuer(FlowExecutionResult flowExecutionResult) {
        AuthenticationErrorResponse parseResponse = parseResponse(flowExecutionResult);
        Assert.assertFalse(parseResponse.indicatesSuccess());
        Assert.assertTrue(parseResponse instanceof AuthenticationErrorResponse);
        AuthenticationErrorResponse authenticationErrorResponse = parseResponse;
        Assert.assertNotNull(authenticationErrorResponse.getIssuer());
        Assert.assertEquals(authenticationErrorResponse.getIssuer().getValue(), this.issuer);
    }

    protected String getSidFromAuthorizeCodeClaimsSet(AuthenticationSuccessResponse authenticationSuccessResponse) {
        Assert.assertNotNull(authenticationSuccessResponse.getAuthorizationCode());
        try {
            AuthorizeCodeClaimsSet parse = AuthorizeCodeClaimsSet.parse(authenticationSuccessResponse.getAuthorizationCode().getValue(), getDataSealer());
            Assert.assertNotNull(parse.getSessionIdentifier());
            return parse.getSessionIdentifier();
        } catch (ParseException | DataSealerException e) {
            return null;
        }
    }

    protected String getSidFromOpaqueAccessTokenClaimsSet(AuthenticationSuccessResponse authenticationSuccessResponse) {
        Assert.assertNotNull(authenticationSuccessResponse.getAccessToken());
        try {
            AccessTokenClaimsSet parse = AccessTokenClaimsSet.parse(authenticationSuccessResponse.getAccessToken().getValue(), getDataSealer());
            Assert.assertNotNull(parse.getSessionIdentifier());
            return parse.getSessionIdentifier();
        } catch (ParseException | DataSealerException e) {
            return null;
        }
    }

    protected String getSidFromJWTAccessTokenClaimsSet(AuthenticationSuccessResponse authenticationSuccessResponse) {
        Assert.assertNotNull(authenticationSuccessResponse.getAccessToken());
        try {
            JWTClaimsSet jWTClaimsSet = SignedJWT.parse(authenticationSuccessResponse.getAccessToken().getValue()).getJWTClaimsSet();
            Assert.assertNotNull(jWTClaimsSet.getStringClaim("sid"));
            return jWTClaimsSet.getStringClaim("sid");
        } catch (ParseException e) {
            return null;
        }
    }

    protected String getSidFromIDToken(AuthenticationSuccessResponse authenticationSuccessResponse) {
        JWT iDToken = authenticationSuccessResponse.getIDToken();
        Assert.assertNotNull(iDToken);
        try {
            return iDToken.getJWTClaimsSet().getStringClaim("sid");
        } catch (ParseException e) {
            return null;
        }
    }

    protected void setRequestParameters(List<Pair<String, String>> list) {
        setRequestParameters(this.request, list);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void setRequestParameters(MockHttpServletRequest mockHttpServletRequest, List<Pair<String, String>> list) {
        StringBuffer stringBuffer = new StringBuffer();
        for (Pair<String, String> pair : list) {
            mockHttpServletRequest.addParameter((String) pair.getFirst(), (String) pair.getSecond());
            try {
                stringBuffer.append(((String) pair.getFirst()) + "=" + URLEncoder.encode((String) pair.getSecond(), "UTF-8") + "&");
            } catch (UnsupportedEncodingException e) {
                Assert.fail(e.getMessage());
            }
        }
        mockHttpServletRequest.setQueryString(stringBuffer.toString());
    }

    @AfterMethod
    public void removeMetadata() throws IOException {
        removeMetadata(this.storageService, this.clientId);
        removeMetadata(this.storageService, "mockClientIdPKCEPlainUnforced");
        removeMetadata(this.storageService, "mockClientIdPKCEPlain");
        removeMetadata(this.storageService, "mockClientIdPKCES256");
        removeMetadata(this.storageService, "mockClientIdCustomTokens");
        removeMetadata(this.storageService, "mockClientIdRequestObjectEnforced");
        removeMetadata(this.storageService, this.clientIdIssInResponse);
    }
}
