package org.keycloak.protocol.oidc.endpoints;

import java.util.HashMap;
import javax.ws.rs.GET;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.keycloak.OAuthErrorException;
import org.keycloak.RSATokenVerifier;
import org.keycloak.common.ClientConnection;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.Urls;

/* loaded from: input_file:org/keycloak/protocol/oidc/endpoints/ValidateTokenEndpoint.class */
public class ValidateTokenEndpoint {
    private static final Logger logger = Logger.getLogger(ValidateTokenEndpoint.class);

    @Context
    private KeycloakSession session;

    @Context
    private ClientConnection clientConnection;

    @Context
    private UriInfo uriInfo;

    @Context
    private HttpHeaders headers;
    private TokenManager tokenManager;
    private RealmModel realm;
    private EventBuilder event;

    public ValidateTokenEndpoint(TokenManager tokenManager, RealmModel realmModel, EventBuilder eventBuilder) {
        this.tokenManager = tokenManager;
        this.realm = realmModel;
        this.event = eventBuilder;
    }

    @GET
    @Produces({"application/json"})
    @NoCache
    public Response validateAccessToken(@QueryParam("access_token") String str) {
        checkSsl();
        this.event.event(EventType.VALIDATE_ACCESS_TOKEN);
        try {
            AccessToken verifyToken = RSATokenVerifier.verifyToken(str, this.realm.getPublicKey(), Urls.realmIssuer(this.uriInfo.getBaseUri(), this.realm.getName()));
            this.event.user(verifyToken.getSubject()).session(verifyToken.getSessionState()).detail("validate_access_token", verifyToken.getId());
            try {
                this.tokenManager.validateToken(this.session, this.uriInfo, this.clientConnection, this.realm, verifyToken, this.headers);
                this.event.success();
                return Response.ok(verifyToken, MediaType.APPLICATION_JSON_TYPE).build();
            } catch (OAuthErrorException e) {
                HashMap hashMap = new HashMap();
                hashMap.put("error", e.getError());
                if (e.getDescription() != null) {
                    hashMap.put("error_description", e.getDescription());
                }
                this.event.error("invalid_token");
                return Response.status(Response.Status.BAD_REQUEST).entity(hashMap).type(MediaType.APPLICATION_JSON_TYPE).build();
            }
        } catch (Exception e2) {
            HashMap hashMap2 = new HashMap();
            hashMap2.put("error", "invalid_grant");
            hashMap2.put("error_description", "Token invalid");
            logger.error("Invalid token. Token verification failed.");
            this.event.error("invalid_token");
            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap2).build();
        }
    }

    private void checkSsl() {
        if (!this.uriInfo.getBaseUri().getScheme().equals("https") && this.realm.getSslRequired().isRequired(this.clientConnection)) {
            throw new ErrorResponseException("invalid_request", "HTTPS required", Response.Status.FORBIDDEN);
        }
    }
}
