package org.keycloak.protocol.oidc;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.keycloak.OAuthErrorException;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.util.Time;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.UserSessionProvider;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.ProtocolMapper;
import org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper;
import org.keycloak.protocol.oidc.mappers.OIDCIDTokenMapper;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.protocol.oidc.utils.WebOriginsUtils;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:WEB-INF/lib/keycloak-services-1.7.0.Final.jar:org/keycloak/protocol/oidc/TokenManager.class */
public class TokenManager {
    protected static final Logger logger = Logger.getLogger((Class<?>) TokenManager.class);

    /* loaded from: input_file:WEB-INF/lib/keycloak-services-1.7.0.Final.jar:org/keycloak/protocol/oidc/TokenManager$AccessTokenResponseBuilder.class */
    public class AccessTokenResponseBuilder {
        RealmModel realm;
        ClientModel client;
        EventBuilder event;
        KeycloakSession session;
        UserSessionModel userSession;
        ClientSessionModel clientSession;
        AccessToken accessToken;
        RefreshToken refreshToken;
        IDToken idToken;

        public AccessTokenResponseBuilder(RealmModel realmModel, ClientModel clientModel, EventBuilder eventBuilder, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionModel clientSessionModel) {
            this.realm = realmModel;
            this.client = clientModel;
            this.event = eventBuilder;
            this.session = keycloakSession;
            this.userSession = userSessionModel;
            this.clientSession = clientSessionModel;
        }

        public AccessTokenResponseBuilder accessToken(AccessToken accessToken) {
            this.accessToken = accessToken;
            return this;
        }

        public AccessTokenResponseBuilder refreshToken(RefreshToken refreshToken) {
            this.refreshToken = refreshToken;
            return this;
        }

        public AccessTokenResponseBuilder generateAccessToken() {
            UserModel user = this.userSession.getUser();
            this.accessToken = TokenManager.this.createClientAccessToken(this.session, TokenManager.getAccess(this.clientSession.getNote("scope"), true, this.client, user), this.realm, this.client, user, this.userSession, this.clientSession);
            return this;
        }

        public AccessTokenResponseBuilder generateRefreshToken() {
            if (this.accessToken == null) {
                throw new IllegalStateException("accessToken not set");
            }
            if (TokenUtil.isOfflineTokenRequested(this.clientSession.getNote("scope"))) {
                UserSessionManager userSessionManager = new UserSessionManager(this.session);
                if (!userSessionManager.isOfflineTokenAllowed(this.clientSession)) {
                    this.event.error(Errors.NOT_ALLOWED);
                    throw new ErrorResponseException(Errors.NOT_ALLOWED, "Offline tokens not allowed for the user or client", Response.Status.BAD_REQUEST);
                }
                this.refreshToken = new RefreshToken(this.accessToken);
                this.refreshToken.type(TokenUtil.TOKEN_TYPE_OFFLINE);
                userSessionManager.createOrUpdateOfflineSession(this.clientSession, this.userSession);
            } else {
                this.refreshToken = new RefreshToken(this.accessToken);
                this.refreshToken.expiration(Time.currentTime() + this.realm.getSsoSessionIdleTimeout());
            }
            this.refreshToken.id(KeycloakModelUtils.generateId());
            this.refreshToken.issuedNow();
            return this;
        }

        public AccessTokenResponseBuilder generateIDToken() {
            if (this.accessToken == null) {
                throw new IllegalStateException("accessToken not set");
            }
            this.idToken = new IDToken();
            this.idToken.id(KeycloakModelUtils.generateId());
            this.idToken.type(TokenUtil.TOKEN_TYPE_ID);
            this.idToken.subject(this.accessToken.getSubject());
            this.idToken.audience(this.client.getClientId());
            this.idToken.issuedNow();
            this.idToken.issuedFor(this.accessToken.getIssuedFor());
            this.idToken.issuer(this.accessToken.getIssuer());
            this.idToken.setNonce(this.accessToken.getNonce());
            this.idToken.setSessionState(this.accessToken.getSessionState());
            this.idToken.expiration(this.accessToken.getExpiration());
            TokenManager.this.transformIDToken(this.session, this.idToken, this.realm, this.client, this.userSession.getUser(), this.userSession, this.clientSession);
            return this;
        }

        public AccessTokenResponse build() {
            if (this.accessToken != null) {
                this.event.detail(Details.TOKEN_ID, this.accessToken.getId());
            }
            if (this.refreshToken != null) {
                if (this.event.getEvent().getDetails().containsKey(Details.REFRESH_TOKEN_ID)) {
                    this.event.detail(Details.UPDATED_REFRESH_TOKEN_ID, this.refreshToken.getId());
                } else {
                    this.event.detail(Details.REFRESH_TOKEN_ID, this.refreshToken.getId());
                }
                this.event.detail(Details.REFRESH_TOKEN_TYPE, this.refreshToken.getType());
            }
            AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
            if (this.idToken != null) {
                accessTokenResponse.setIdToken(new JWSBuilder().jsonContent(this.idToken).rsa256(this.realm.getPrivateKey()));
            }
            if (this.accessToken != null) {
                accessTokenResponse.setToken(new JWSBuilder().jsonContent(this.accessToken).rsa256(this.realm.getPrivateKey()));
                accessTokenResponse.setTokenType("bearer");
                accessTokenResponse.setSessionState(this.accessToken.getSessionState());
                if (this.accessToken.getExpiration() != 0) {
                    accessTokenResponse.setExpiresIn(this.accessToken.getExpiration() - Time.currentTime());
                }
            }
            if (this.refreshToken != null) {
                accessTokenResponse.setRefreshToken(new JWSBuilder().jsonContent(this.refreshToken).rsa256(this.realm.getPrivateKey()));
                if (this.refreshToken.getExpiration() != 0) {
                    accessTokenResponse.setRefreshExpiresIn(this.refreshToken.getExpiration() - Time.currentTime());
                }
            }
            int notBefore = this.realm.getNotBefore();
            if (this.client.getNotBefore() > notBefore) {
                notBefore = this.client.getNotBefore();
            }
            accessTokenResponse.setNotBeforePolicy(notBefore);
            return accessTokenResponse;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/keycloak-services-1.7.0.Final.jar:org/keycloak/protocol/oidc/TokenManager$RefreshResult.class */
    public class RefreshResult {
        private final AccessTokenResponse response;
        private final boolean offlineToken;

        private RefreshResult(AccessTokenResponse accessTokenResponse, boolean z) {
            this.response = accessTokenResponse;
            this.offlineToken = z;
        }

        public AccessTokenResponse getResponse() {
            return this.response;
        }

        public boolean isOfflineToken() {
            return this.offlineToken;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/keycloak-services-1.7.0.Final.jar:org/keycloak/protocol/oidc/TokenManager$TokenValidation.class */
    public static class TokenValidation {
        public final UserModel user;
        public final UserSessionModel userSession;
        public final ClientSessionModel clientSession;
        public final AccessToken newToken;

        public TokenValidation(UserModel userModel, UserSessionModel userSessionModel, ClientSessionModel clientSessionModel, AccessToken accessToken) {
            this.user = userModel;
            this.userSession = userSessionModel;
            this.clientSession = clientSessionModel;
            this.newToken = accessToken;
        }
    }

    public static void applyScope(RoleModel roleModel, RoleModel roleModel2, Set<RoleModel> set, Set<RoleModel> set2) {
        if (set.contains(roleModel2)) {
            return;
        }
        set.add(roleModel2);
        if (roleModel.hasRole(roleModel2)) {
            set2.add(roleModel2);
        } else if (roleModel2.isComposite()) {
            Iterator<RoleModel> it = roleModel2.getComposites().iterator();
            while (it.hasNext()) {
                applyScope(roleModel, it.next(), set, set2);
            }
        }
    }

    public TokenValidation validateToken(KeycloakSession keycloakSession, UriInfo uriInfo, ClientConnection clientConnection, RealmModel realmModel, AccessToken accessToken, HttpHeaders httpHeaders) throws OAuthErrorException {
        UserModel userById = keycloakSession.users().getUserById(accessToken.getSubject(), realmModel);
        if (userById == null) {
            throw new OAuthErrorException("invalid_grant", "Invalid refresh token", "Unknown user");
        }
        if (!userById.isEnabled()) {
            throw new OAuthErrorException("invalid_grant", "User disabled", "User disabled");
        }
        UserSessionModel userSessionModel = null;
        ClientSessionModel clientSessionModel = null;
        if (!TokenUtil.TOKEN_TYPE_OFFLINE.equals(accessToken.getType())) {
            userSessionModel = keycloakSession.sessions().getUserSession(realmModel, accessToken.getSessionState());
            if (!AuthenticationManager.isSessionValid(realmModel, userSessionModel)) {
                AuthenticationManager.backchannelLogout(keycloakSession, realmModel, userSessionModel, uriInfo, clientConnection, httpHeaders, true);
                throw new OAuthErrorException("invalid_grant", "Session not active", "Session not active");
            }
            Iterator<ClientSessionModel> it = userSessionModel.getClientSessions().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                ClientSessionModel next = it.next();
                if (next.getId().equals(accessToken.getClientSession())) {
                    clientSessionModel = next;
                    break;
                }
            }
        } else {
            UserSessionManager userSessionManager = new UserSessionManager(keycloakSession);
            clientSessionModel = userSessionManager.findOfflineClientSession(realmModel, accessToken.getClientSession(), accessToken.getSessionState());
            if (clientSessionModel != null) {
                userSessionModel = clientSessionModel.getUserSession();
                if (userSessionModel.getLastSessionRefresh() < Time.currentTime() - realmModel.getOfflineSessionIdleTimeout()) {
                    userSessionManager.revokeOfflineUserSession(userSessionModel);
                    userSessionModel = null;
                    clientSessionModel = null;
                }
            }
        }
        if (clientSessionModel == null) {
            throw new OAuthErrorException("invalid_grant", "Client session not active", "Client session not active");
        }
        ClientModel client = clientSessionModel.getClient();
        if (!client.getClientId().equals(accessToken.getIssuedFor())) {
            throw new OAuthErrorException("invalid_grant", "Unmatching clients", "Unmatching clients");
        }
        if (accessToken.getIssuedAt() < client.getNotBefore()) {
            throw new OAuthErrorException("invalid_grant", "Stale token");
        }
        if (accessToken.getIssuedAt() < realmModel.getNotBefore()) {
            throw new OAuthErrorException("invalid_grant", "Stale token");
        }
        AccessToken createClientAccessToken = createClientAccessToken(keycloakSession, getAccess(clientSessionModel.getNote("scope"), true, clientSessionModel.getClient(), userById), realmModel, client, userById, userSessionModel, clientSessionModel);
        verifyAccess(accessToken, createClientAccessToken);
        return new TokenValidation(userById, userSessionModel, clientSessionModel, createClientAccessToken);
    }

    public RefreshResult refreshAccessToken(KeycloakSession keycloakSession, UriInfo uriInfo, ClientConnection clientConnection, RealmModel realmModel, ClientModel clientModel, String str, EventBuilder eventBuilder, HttpHeaders httpHeaders) throws OAuthErrorException {
        RefreshToken verifyRefreshToken = verifyRefreshToken(realmModel, str);
        eventBuilder.user(verifyRefreshToken.getSubject()).session(verifyRefreshToken.getSessionState()).detail(Details.REFRESH_TOKEN_ID, verifyRefreshToken.getId()).detail(Details.REFRESH_TOKEN_TYPE, verifyRefreshToken.getType());
        TokenValidation validateToken = validateToken(keycloakSession, uriInfo, clientConnection, realmModel, verifyRefreshToken, httpHeaders);
        if (!validateToken.clientSession.getClient().getId().equals(clientModel.getId())) {
            throw new OAuthErrorException("invalid_grant", "Invalid refresh token. Token client and authorized client don't match");
        }
        int currentTime = Time.currentTime();
        if (realmModel.isRevokeRefreshToken()) {
            int serverStartupTimestamp = (int) (keycloakSession.getKeycloakSessionFactory().getServerStartupTimestamp() / 1000);
            if (verifyRefreshToken.getIssuedAt() < validateToken.clientSession.getTimestamp() && serverStartupTimestamp != validateToken.clientSession.getTimestamp()) {
                throw new OAuthErrorException("invalid_grant", "Stale token");
            }
        }
        validateToken.clientSession.setTimestamp(currentTime);
        validateToken.userSession.setLastSessionRefresh(currentTime);
        return new RefreshResult(responseBuilder(realmModel, clientModel, eventBuilder, keycloakSession, validateToken.userSession, validateToken.clientSession).accessToken(validateToken.newToken).generateIDToken().generateRefreshToken().build(), TokenUtil.TOKEN_TYPE_OFFLINE.equals(verifyRefreshToken.getType()));
    }

    public RefreshToken verifyRefreshToken(RealmModel realmModel, String str) throws OAuthErrorException {
        try {
            JWSInput jWSInput = new JWSInput(str);
            if (!RSAProvider.verify(jWSInput, realmModel.getPublicKey())) {
                throw new OAuthErrorException("invalid_grant", "Invalid refresh token");
            }
            RefreshToken refreshToken = (RefreshToken) jWSInput.readJsonContent(RefreshToken.class);
            if (refreshToken.getExpiration() != 0 && refreshToken.isExpired()) {
                throw new OAuthErrorException("invalid_grant", "Refresh token expired");
            }
            if (refreshToken.getIssuedAt() < realmModel.getNotBefore()) {
                throw new OAuthErrorException("invalid_grant", "Stale refresh token");
            }
            return refreshToken;
        } catch (JWSInputException e) {
            throw new OAuthErrorException("invalid_grant", "Invalid refresh token", e);
        }
    }

    public IDToken verifyIDToken(RealmModel realmModel, String str) throws OAuthErrorException {
        try {
            JWSInput jWSInput = new JWSInput(str);
            if (!RSAProvider.verify(jWSInput, realmModel.getPublicKey())) {
                throw new OAuthErrorException("invalid_grant", "Invalid IDToken");
            }
            IDToken iDToken = (IDToken) jWSInput.readJsonContent(IDToken.class);
            if (iDToken.isExpired()) {
                throw new OAuthErrorException("invalid_grant", "IDToken expired");
            }
            if (iDToken.getIssuedAt() < realmModel.getNotBefore()) {
                throw new OAuthErrorException("invalid_grant", "Stale IDToken");
            }
            return iDToken;
        } catch (JWSInputException e) {
            throw new OAuthErrorException("invalid_grant", "Invalid IDToken", e);
        }
    }

    public AccessToken createClientAccessToken(KeycloakSession keycloakSession, Set<RoleModel> set, RealmModel realmModel, ClientModel clientModel, UserModel userModel, UserSessionModel userSessionModel, ClientSessionModel clientSessionModel) {
        AccessToken initToken = initToken(realmModel, clientModel, userModel, userSessionModel, clientSessionModel, keycloakSession.getContext().getUri());
        Iterator<RoleModel> it = set.iterator();
        while (it.hasNext()) {
            addComposites(initToken, it.next());
        }
        return transformAccessToken(keycloakSession, initToken, realmModel, clientModel, userModel, userSessionModel, clientSessionModel);
    }

    public static void attachClientSession(UserSessionModel userSessionModel, ClientSessionModel clientSessionModel) {
        if (clientSessionModel.getUserSession() != null) {
            return;
        }
        UserModel user = userSessionModel.getUser();
        clientSessionModel.setUserSession(userSessionModel);
        HashSet hashSet = new HashSet();
        Iterator<RoleModel> it = getAccess(clientSessionModel.getNote("scope"), true, clientSessionModel.getClient(), user).iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getId());
        }
        clientSessionModel.setRoles(hashSet);
        HashSet hashSet2 = new HashSet();
        for (ProtocolMapperModel protocolMapperModel : clientSessionModel.getClient().getProtocolMappers()) {
            if (protocolMapperModel.getProtocol().equals(clientSessionModel.getAuthMethod())) {
                hashSet2.add(protocolMapperModel.getId());
            }
        }
        clientSessionModel.setProtocolMappers(hashSet2);
        for (Map.Entry<String, String> entry : clientSessionModel.getUserSessionNotes().entrySet()) {
            userSessionModel.setNote(entry.getKey(), entry.getValue());
        }
    }

    public static void dettachClientSession(UserSessionProvider userSessionProvider, RealmModel realmModel, ClientSessionModel clientSessionModel) {
        UserSessionModel userSession = clientSessionModel.getUserSession();
        if (userSession == null) {
            return;
        }
        clientSessionModel.setUserSession(null);
        clientSessionModel.setRoles(null);
        clientSessionModel.setProtocolMappers(null);
        if (userSession.getClientSessions().isEmpty()) {
            userSessionProvider.removeUserSession(realmModel, userSession);
        }
    }

    public static void addGroupRoles(GroupModel groupModel, Set<RoleModel> set) {
        set.addAll(groupModel.getRoleMappings());
        if (groupModel.getParentId() == null) {
            return;
        }
        addGroupRoles(groupModel.getParent(), set);
    }

    public static Set<RoleModel> getAccess(String str, boolean z, ClientModel clientModel, UserModel userModel) {
        HashSet<RoleModel> hashSet = new HashSet();
        Set<RoleModel> roleMappings = userModel.getRoleMappings();
        HashSet<RoleModel> hashSet2 = new HashSet();
        hashSet2.addAll(roleMappings);
        Iterator<GroupModel> it = userModel.getGroups().iterator();
        while (it.hasNext()) {
            addGroupRoles(it.next(), hashSet2);
        }
        if (clientModel.isFullScopeAllowed()) {
            hashSet = hashSet2;
        } else {
            Set<RoleModel> scopeMappings = clientModel.getScopeMappings();
            scopeMappings.addAll(clientModel.getRoles());
            for (RoleModel roleModel : hashSet2) {
                Iterator<RoleModel> it2 = scopeMappings.iterator();
                while (it2.hasNext()) {
                    applyScope(roleModel, it2.next(), new HashSet(), hashSet);
                }
            }
        }
        if (z) {
            List asList = str != null ? Arrays.asList(str.split(" ")) : Collections.emptyList();
            HashSet hashSet3 = new HashSet();
            for (RoleModel roleModel2 : hashSet) {
                String roleNameForScopeParam = getRoleNameForScopeParam(roleModel2);
                if (!roleModel2.isScopeParamRequired() || asList.contains(roleNameForScopeParam)) {
                    hashSet3.add(roleModel2);
                } else if (logger.isTraceEnabled()) {
                    logger.tracef("Role '%s' excluded by scope param. Client is '%s', User is '%s', Scope param is '%s' ", roleModel2.getName(), clientModel.getClientId(), userModel.getUsername(), str);
                }
            }
            LinkedList linkedList = new LinkedList();
            Iterator it3 = asList.iterator();
            while (it3.hasNext()) {
                RoleModel roleFromScopeParam = getRoleFromScopeParam(clientModel.getRealm(), (String) it3.next());
                if (roleFromScopeParam != null) {
                    Iterator it4 = hashSet3.iterator();
                    while (it4.hasNext()) {
                        if (((RoleModel) it4.next()).hasRole(roleFromScopeParam)) {
                            linkedList.add(roleFromScopeParam);
                        }
                    }
                }
            }
            hashSet3.addAll(linkedList);
            hashSet = hashSet3;
        }
        return hashSet;
    }

    private static String getRoleNameForScopeParam(RoleModel roleModel) {
        if (roleModel.getContainer() instanceof RealmModel) {
            return roleModel.getName();
        }
        return ((ClientModel) roleModel.getContainer()).getClientId() + "/" + roleModel.getName();
    }

    private static RoleModel getRoleFromScopeParam(RealmModel realmModel, String str) {
        String[] split = str.split("/");
        if (split.length == 1) {
            return realmModel.getRole(split[0]);
        }
        ClientModel clientByClientId = realmModel.getClientByClientId(split[0]);
        if (clientByClientId != null) {
            return clientByClientId.getRole(split[1]);
        }
        return null;
    }

    public void verifyAccess(AccessToken accessToken, AccessToken accessToken2) throws OAuthErrorException {
        if (accessToken.getRealmAccess() != null) {
            if (accessToken2.getRealmAccess() == null) {
                throw new OAuthErrorException("invalid_grant", "User no long has permission for realm roles");
            }
            for (String str : accessToken.getRealmAccess().getRoles()) {
                if (!accessToken2.getRealmAccess().getRoles().contains(str)) {
                    throw new OAuthErrorException("invalid_grant", "User no long has permission for realm role: " + str);
                }
            }
        }
        if (accessToken.getResourceAccess() != null) {
            for (Map.Entry<String, AccessToken.Access> entry : accessToken.getResourceAccess().entrySet()) {
                AccessToken.Access resourceAccess = accessToken2.getResourceAccess(entry.getKey());
                if (resourceAccess == null && !entry.getValue().getRoles().isEmpty()) {
                    throw new OAuthErrorException("invalid_grant", "User or client no longer has role permissions for client key: " + entry.getKey());
                }
                for (String str2 : entry.getValue().getRoles()) {
                    if (!resourceAccess.getRoles().contains(str2)) {
                        throw new OAuthErrorException("invalid_grant", "User no long has permission for client role " + str2);
                    }
                }
            }
        }
    }

    public AccessToken transformAccessToken(KeycloakSession keycloakSession, AccessToken accessToken, RealmModel realmModel, ClientModel clientModel, UserModel userModel, UserSessionModel userSessionModel, ClientSessionModel clientSessionModel) {
        Set<ProtocolMapperModel> requestedProtocolMappers = new ClientSessionCode(realmModel, clientSessionModel).getRequestedProtocolMappers();
        KeycloakSessionFactory keycloakSessionFactory = keycloakSession.getKeycloakSessionFactory();
        for (ProtocolMapperModel protocolMapperModel : requestedProtocolMappers) {
            ProtocolMapper protocolMapper = (ProtocolMapper) keycloakSessionFactory.getProviderFactory(ProtocolMapper.class, protocolMapperModel.getProtocolMapper());
            if (protocolMapper != null && (protocolMapper instanceof OIDCAccessTokenMapper)) {
                accessToken = ((OIDCAccessTokenMapper) protocolMapper).transformAccessToken(accessToken, protocolMapperModel, keycloakSession, userSessionModel, clientSessionModel);
            }
        }
        return accessToken;
    }

    public void transformIDToken(KeycloakSession keycloakSession, IDToken iDToken, RealmModel realmModel, ClientModel clientModel, UserModel userModel, UserSessionModel userSessionModel, ClientSessionModel clientSessionModel) {
        Set<ProtocolMapperModel> requestedProtocolMappers = new ClientSessionCode(realmModel, clientSessionModel).getRequestedProtocolMappers();
        KeycloakSessionFactory keycloakSessionFactory = keycloakSession.getKeycloakSessionFactory();
        for (ProtocolMapperModel protocolMapperModel : requestedProtocolMappers) {
            ProtocolMapper protocolMapper = (ProtocolMapper) keycloakSessionFactory.getProviderFactory(ProtocolMapper.class, protocolMapperModel.getProtocolMapper());
            if (protocolMapper != null && (protocolMapper instanceof OIDCIDTokenMapper)) {
                iDToken = ((OIDCIDTokenMapper) protocolMapper).transformIDToken(iDToken, protocolMapperModel, keycloakSession, userSessionModel, clientSessionModel);
            }
        }
    }

    protected AccessToken initToken(RealmModel realmModel, ClientModel clientModel, UserModel userModel, UserSessionModel userSessionModel, ClientSessionModel clientSessionModel, UriInfo uriInfo) {
        AccessToken accessToken = new AccessToken();
        if (clientSessionModel != null) {
            accessToken.clientSession(clientSessionModel.getId());
        }
        accessToken.id(KeycloakModelUtils.generateId());
        accessToken.type(TokenUtil.TOKEN_TYPE_BEARER);
        accessToken.subject(userModel.getId());
        accessToken.audience(clientModel.getClientId());
        accessToken.issuedNow();
        accessToken.issuedFor(clientModel.getClientId());
        accessToken.issuer(clientSessionModel.getNote(OIDCLoginProtocol.ISSUER));
        accessToken.setNonce(clientSessionModel.getNote("nonce"));
        if (userSessionModel != null) {
            accessToken.setSessionState(userSessionModel.getId());
        }
        int tokenLifespan = getTokenLifespan(realmModel, clientSessionModel);
        if (tokenLifespan > 0) {
            accessToken.expiration(Time.currentTime() + tokenLifespan);
        }
        if (clientModel.getWebOrigins() != null) {
            accessToken.setAllowedOrigins(WebOriginsUtils.resolveValidWebOrigins(uriInfo, clientModel));
        }
        return accessToken;
    }

    private int getTokenLifespan(RealmModel realmModel, ClientSessionModel clientSessionModel) {
        boolean z = false;
        String note = clientSessionModel.getNote("response_type");
        if (note != null) {
            z = OIDCResponseType.parse(note).isImplicitFlow();
        }
        return z ? realmModel.getAccessTokenLifespanForImplicitFlow() : realmModel.getAccessTokenLifespan();
    }

    protected void addComposites(AccessToken accessToken, RoleModel roleModel) {
        AccessToken.Access resourceAccess;
        if (roleModel.getContainer() instanceof RealmModel) {
            resourceAccess = accessToken.getRealmAccess();
            if (accessToken.getRealmAccess() == null) {
                resourceAccess = new AccessToken.Access();
                accessToken.setRealmAccess(resourceAccess);
            } else if (accessToken.getRealmAccess().getRoles() != null && accessToken.getRealmAccess().isUserInRole(roleModel.getName())) {
                return;
            }
        } else {
            ClientModel clientModel = (ClientModel) roleModel.getContainer();
            resourceAccess = accessToken.getResourceAccess(clientModel.getClientId());
            if (resourceAccess == null) {
                resourceAccess = accessToken.addAccess(clientModel.getClientId());
                if (clientModel.isSurrogateAuthRequired()) {
                    resourceAccess.verifyCaller(true);
                }
            } else if (resourceAccess.isUserInRole(roleModel.getName())) {
                return;
            }
        }
        resourceAccess.addRole(roleModel.getName());
        if (roleModel.isComposite()) {
            Iterator<RoleModel> it = roleModel.getComposites().iterator();
            while (it.hasNext()) {
                addComposites(accessToken, it.next());
            }
        }
    }

    public String encodeToken(RealmModel realmModel, Object obj) {
        return new JWSBuilder().jsonContent(obj).rsa256(realmModel.getPrivateKey());
    }

    public AccessTokenResponseBuilder responseBuilder(RealmModel realmModel, ClientModel clientModel, EventBuilder eventBuilder, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionModel clientSessionModel) {
        return new AccessTokenResponseBuilder(realmModel, clientModel, eventBuilder, keycloakSession, userSessionModel, clientSessionModel);
    }
}
