package org.keycloak.broker.oidc;

import com.fasterxml.jackson.databind.JsonNode;
import java.io.IOException;
import java.security.PublicKey;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.keycloak.WebAuthnConstants;
import org.keycloak.authorization.authorization.AuthorizationTokenService;
import org.keycloak.broker.oidc.mappers.AbstractJsonUserAttributeMapper;
import org.keycloak.broker.provider.AuthenticationRequest;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.ExchangeExternalToken;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.IdentityProvider;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.Time;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.keys.loader.PublicKeyStorageManager;
import org.keycloak.models.ClientModel;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.Cors;
import org.keycloak.services.resources.IdentityBrokerService;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.util.JsonSerialization;
import org.keycloak.vault.VaultStringSecret;

/* loaded from: input_file:org/keycloak/broker/oidc/OIDCIdentityProvider.class */
public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig> implements ExchangeExternalToken {
    public static final String SCOPE_OPENID = "openid";
    public static final String FEDERATED_ID_TOKEN = "FEDERATED_ID_TOKEN";
    public static final String USER_INFO = "UserInfo";
    public static final String FEDERATED_ACCESS_TOKEN_RESPONSE = "FEDERATED_ACCESS_TOKEN_RESPONSE";
    public static final String VALIDATED_ID_TOKEN = "VALIDATED_ID_TOKEN";
    public static final String ACCESS_TOKEN_EXPIRATION = "accessTokenExpiration";
    public static final String EXCHANGE_PROVIDER = "EXCHANGE_PROVIDER";
    private static final String BROKER_NONCE_PARAM = "BROKER_NONCE";
    protected static final Logger logger = Logger.getLogger(OIDCIdentityProvider.class);
    private static final MediaType APPLICATION_JWT_TYPE = MediaType.valueOf(org.keycloak.utils.MediaType.APPLICATION_JWT);

    /* loaded from: input_file:org/keycloak/broker/oidc/OIDCIdentityProvider$OIDCEndpoint.class */
    protected class OIDCEndpoint extends AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>.Endpoint {
        public OIDCEndpoint(IdentityProvider.AuthenticationCallback authenticationCallback, RealmModel realmModel, EventBuilder eventBuilder) {
            super(authenticationCallback, realmModel, eventBuilder);
        }

        @GET
        @Path("logout_response")
        public Response logoutResponse(@QueryParam("state") String str) {
            if (str == null) {
                OIDCIdentityProvider.logger.error("no state parameter returned");
                EventBuilder eventBuilder = new EventBuilder(this.realm, this.session, this.clientConnection);
                eventBuilder.event(EventType.LOGOUT);
                eventBuilder.error("user_session_not_found");
                return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, new Object[0]);
            }
            UserSessionModel userSession = this.session.sessions().getUserSession(this.realm, str);
            if (userSession == null) {
                OIDCIdentityProvider.logger.error("no valid user session");
                EventBuilder eventBuilder2 = new EventBuilder(this.realm, this.session, this.clientConnection);
                eventBuilder2.event(EventType.LOGOUT);
                eventBuilder2.error("user_session_not_found");
                return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, new Object[0]);
            }
            if (userSession.getState() == UserSessionModel.State.LOGGING_OUT) {
                return AuthenticationManager.finishBrowserLogout(this.session, this.realm, userSession, this.session.getContext().getUri(), this.clientConnection, this.headers);
            }
            OIDCIdentityProvider.logger.error("usersession in different state");
            EventBuilder eventBuilder3 = new EventBuilder(this.realm, this.session, this.clientConnection);
            eventBuilder3.event(EventType.LOGOUT);
            eventBuilder3.error("user_session_not_found");
            return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.SESSION_NOT_ACTIVE, new Object[0]);
        }
    }

    public OIDCIdentityProvider(KeycloakSession keycloakSession, OIDCIdentityProviderConfig oIDCIdentityProviderConfig) {
        super(keycloakSession, oIDCIdentityProviderConfig);
        String defaultScope = oIDCIdentityProviderConfig.getDefaultScope();
        if (defaultScope.contains(SCOPE_OPENID)) {
            return;
        }
        oIDCIdentityProviderConfig.setDefaultScope(("openid " + defaultScope).trim());
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    public Object callback(RealmModel realmModel, IdentityProvider.AuthenticationCallback authenticationCallback, EventBuilder eventBuilder) {
        return new OIDCEndpoint(authenticationCallback, realmModel, eventBuilder);
    }

    public String refreshTokenForLogout(KeycloakSession keycloakSession, UserSessionModel userSessionModel) {
        String note = userSessionModel.getNote(AbstractOAuth2IdentityProvider.FEDERATED_REFRESH_TOKEN);
        try {
            VaultStringSecret stringSecret = keycloakSession.vault().getStringSecret(m135getConfig().getClientSecret());
            Throwable th = null;
            try {
                String asString = getRefreshTokenRequest(keycloakSession, note, m135getConfig().getClientId(), (String) stringSecret.get().orElse(m135getConfig().getClientSecret())).asString();
                if (stringSecret != null) {
                    if (0 != 0) {
                        try {
                            stringSecret.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        stringSecret.close();
                    }
                }
                return asString;
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public void backchannelLogout(KeycloakSession keycloakSession, UserSessionModel userSessionModel, UriInfo uriInfo, RealmModel realmModel) {
        String iDTokenForLogout;
        if (m135getConfig().getLogoutUrl() == null || m135getConfig().getLogoutUrl().trim().equals("") || !m135getConfig().isBackchannelSupported() || (iDTokenForLogout = getIDTokenForLogout(keycloakSession, userSessionModel)) == null) {
            return;
        }
        backchannelLogout(userSessionModel, iDTokenForLogout);
    }

    protected void backchannelLogout(UserSessionModel userSessionModel, String str) {
        UriBuilder queryParam = UriBuilder.fromUri(m135getConfig().getLogoutUrl()).queryParam("state", new Object[]{userSessionModel.getId()});
        queryParam.queryParam("id_token_hint", new Object[]{str});
        String uri = queryParam.build(new Object[0]).toString();
        try {
            int asStatus = SimpleHttp.doGet(uri, this.session).asStatus();
            if (!(asStatus >= 200 && asStatus < 400)) {
                logger.warn("Failed backchannel broker logout to: " + uri);
            }
        } catch (Exception e) {
            logger.warn("Failed backchannel broker logout to: " + uri, e);
        }
    }

    public Response keycloakInitiatedBrowserLogout(KeycloakSession keycloakSession, UserSessionModel userSessionModel, UriInfo uriInfo, RealmModel realmModel) {
        if (m135getConfig().getLogoutUrl() == null || m135getConfig().getLogoutUrl().trim().equals("")) {
            return null;
        }
        String iDTokenForLogout = getIDTokenForLogout(keycloakSession, userSessionModel);
        if (iDTokenForLogout != null && m135getConfig().isBackchannelSupported()) {
            backchannelLogout(userSessionModel, iDTokenForLogout);
            return null;
        }
        UriBuilder queryParam = UriBuilder.fromUri(m135getConfig().getLogoutUrl()).queryParam("state", new Object[]{userSessionModel.getId()});
        if (iDTokenForLogout != null) {
            queryParam.queryParam("id_token_hint", new Object[]{iDTokenForLogout});
        }
        queryParam.queryParam("post_logout_redirect_uri", new Object[]{RealmsResource.brokerUrl(uriInfo).path(IdentityBrokerService.class, "getEndpoint").path(OIDCEndpoint.class, "logoutResponse").build(new Object[]{realmModel.getName(), m135getConfig().getAlias()}).toString()});
        return Response.status(302).location(queryParam.build(new Object[0])).build();
    }

    /* JADX WARN: Failed to calculate best type for var: r14v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.calculateFromBounds(FixTypesVisitor.java:156)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.setBestType(FixTypesVisitor.java:133)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.deduceType(FixTypesVisitor.java:238)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.tryDeduceTypes(FixTypesVisitor.java:221)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Failed to calculate best type for var: r14v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.calculateFromBounds(TypeInferenceVisitor.java:145)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.setBestType(TypeInferenceVisitor.java:123)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.lambda$runTypePropagation$2(TypeInferenceVisitor.java:101)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.runTypePropagation(TypeInferenceVisitor.java:101)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.visit(TypeInferenceVisitor.java:75)
     */
    /* JADX WARN: Failed to calculate best type for var: r15v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.calculateFromBounds(FixTypesVisitor.java:156)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.setBestType(FixTypesVisitor.java:133)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.deduceType(FixTypesVisitor.java:238)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.tryDeduceTypes(FixTypesVisitor.java:221)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Failed to calculate best type for var: r15v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.calculateFromBounds(TypeInferenceVisitor.java:145)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.setBestType(TypeInferenceVisitor.java:123)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.lambda$runTypePropagation$2(TypeInferenceVisitor.java:101)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.runTypePropagation(TypeInferenceVisitor.java:101)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.visit(TypeInferenceVisitor.java:75)
     */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.RegisterArg.getSVar()" because the return value of "jadx.core.dex.nodes.InsnNode.getResult()" is null
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.collectRelatedVars(AbstractTypeConstraint.java:31)
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.<init>(AbstractTypeConstraint.java:19)
    	at jadx.core.dex.visitors.typeinference.TypeSearch$1.<init>(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeMoveConstraint(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeConstraint(TypeSearch.java:361)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.collectConstraints(TypeSearch.java:341)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.run(TypeSearch.java:60)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.runMultiVariableSearch(FixTypesVisitor.java:116)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Not initialized variable reg: 14, insn: 0x02fc: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r14 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:81:0x02fc */
    /* JADX WARN: Not initialized variable reg: 15, insn: 0x0301: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r15 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:83:0x0301 */
    /* JADX WARN: Type inference failed for: r14v0, types: [org.keycloak.vault.VaultStringSecret] */
    /* JADX WARN: Type inference failed for: r15v0, types: [java.lang.Throwable] */
    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected Response exchangeStoredToken(UriInfo uriInfo, EventBuilder eventBuilder, ClientModel clientModel, UserSessionModel userSessionModel, UserModel userModel) {
        VaultStringSecret stringSecret;
        Throwable th;
        AccessTokenResponse accessTokenResponse;
        Integer num;
        FederatedIdentityModel federatedIdentity = this.session.users().getFederatedIdentity(userModel, m135getConfig().getAlias(), clientModel.getRealm());
        if (federatedIdentity == null || federatedIdentity.getToken() == null) {
            eventBuilder.detail("reason", "requested_issuer is not linked");
            eventBuilder.error("invalid_token");
            return exchangeNotLinked(uriInfo, clientModel, userSessionModel, userModel);
        }
        try {
            try {
                stringSecret = this.session.vault().getStringSecret(m135getConfig().getClientSecret());
                th = null;
                accessTokenResponse = (AccessTokenResponse) JsonSerialization.readValue(federatedIdentity.getToken(), AccessTokenResponse.class);
                num = (Integer) accessTokenResponse.getOtherClaims().get(ACCESS_TOKEN_EXPIRATION);
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
        if (num != null && num.intValue() < Time.currentTime()) {
            if (accessTokenResponse.getRefreshToken() == null) {
                Response exchangeTokenExpired = exchangeTokenExpired(uriInfo, clientModel, userSessionModel, userModel);
                if (stringSecret != null) {
                    if (0 != 0) {
                        try {
                            stringSecret.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        stringSecret.close();
                    }
                }
                return exchangeTokenExpired;
            }
            String asString = getRefreshTokenRequest(this.session, accessTokenResponse.getRefreshToken(), m135getConfig().getClientId(), (String) stringSecret.get().orElse(m135getConfig().getClientSecret())).asString();
            if (asString.contains(WebAuthnConstants.ERROR)) {
                logger.debugv("Error refreshing token, refresh token expiration?: {0}", asString);
                federatedIdentity.setToken((String) null);
                this.session.users().updateFederatedIdentity(clientModel.getRealm(), userModel, federatedIdentity);
                eventBuilder.detail("reason", "requested_issuer token expired");
                eventBuilder.error("invalid_token");
                Response exchangeTokenExpired2 = exchangeTokenExpired(uriInfo, clientModel, userSessionModel, userModel);
                if (stringSecret != null) {
                    if (0 != 0) {
                        try {
                            stringSecret.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        stringSecret.close();
                    }
                }
                return exchangeTokenExpired2;
            }
            AccessTokenResponse accessTokenResponse2 = (AccessTokenResponse) JsonSerialization.readValue(asString, AccessTokenResponse.class);
            if (accessTokenResponse2.getExpiresIn() > 0) {
                accessTokenResponse2.getOtherClaims().put(ACCESS_TOKEN_EXPIRATION, Integer.valueOf(Time.currentTime() + ((int) accessTokenResponse2.getExpiresIn())));
            }
            if (accessTokenResponse2.getRefreshToken() == null && accessTokenResponse.getRefreshToken() != null) {
                accessTokenResponse2.setRefreshToken(accessTokenResponse.getRefreshToken());
                accessTokenResponse2.setRefreshExpiresIn(accessTokenResponse.getRefreshExpiresIn());
            }
            String writeValueAsString = JsonSerialization.writeValueAsString(accessTokenResponse2);
            String note = userSessionModel.getNote("FEDERATED_ACCESS_TOKEN");
            if (note != null && note.equals(accessTokenResponse.getToken())) {
                userSessionModel.setNote(AbstractOAuth2IdentityProvider.FEDERATED_TOKEN_EXPIRATION, Long.toString(accessTokenResponse2.getExpiresIn() > 0 ? Time.currentTime() + ((int) accessTokenResponse2.getExpiresIn()) : 0));
                userSessionModel.setNote(AbstractOAuth2IdentityProvider.FEDERATED_REFRESH_TOKEN, accessTokenResponse2.getRefreshToken());
                userSessionModel.setNote("FEDERATED_ACCESS_TOKEN", accessTokenResponse2.getToken());
                userSessionModel.setNote(FEDERATED_ID_TOKEN, accessTokenResponse2.getIdToken());
            }
            federatedIdentity.setToken(writeValueAsString);
            accessTokenResponse = accessTokenResponse2;
            throw new RuntimeException(e);
        }
        if (num != null) {
            accessTokenResponse.setExpiresIn(num.intValue() - Time.currentTime());
        }
        accessTokenResponse.setIdToken((String) null);
        accessTokenResponse.setRefreshToken((String) null);
        accessTokenResponse.setRefreshExpiresIn(0L);
        accessTokenResponse.getOtherClaims().clear();
        accessTokenResponse.getOtherClaims().put("issued_token_type", "urn:ietf:params:oauth:token-type:access_token");
        accessTokenResponse.getOtherClaims().put("account-link-url", getLinkingUrl(uriInfo, clientModel, userSessionModel));
        eventBuilder.success();
        Response build = Response.ok(accessTokenResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
        if (stringSecret != null) {
            if (0 != 0) {
                try {
                    stringSecret.close();
                } catch (Throwable th4) {
                    th.addSuppressed(th4);
                }
            } else {
                stringSecret.close();
            }
        }
        return build;
    }

    private String getIDTokenForLogout(KeycloakSession keycloakSession, UserSessionModel userSessionModel) {
        String note = userSessionModel.getNote(AbstractOAuth2IdentityProvider.FEDERATED_TOKEN_EXPIRATION);
        long parseLong = note == null ? 0L : Long.parseLong(note);
        int currentTime = Time.currentTime();
        if (parseLong <= 0 || currentTime <= parseLong) {
            return userSessionModel.getNote(FEDERATED_ID_TOKEN);
        }
        try {
            return ((AccessTokenResponse) JsonSerialization.readValue(refreshTokenForLogout(keycloakSession, userSessionModel), AccessTokenResponse.class)).getIdToken();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void processAccessTokenResponse(BrokeredIdentityContext brokeredIdentityContext, AccessTokenResponse accessTokenResponse) {
    }

    protected SimpleHttp getRefreshTokenRequest(KeycloakSession keycloakSession, String str, String str2, String str3) {
        return authenticateTokenRequest(SimpleHttp.doPost(m135getConfig().getTokenUrl(), keycloakSession).param(AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_REFRESH_TOKEN, str).param("grant_type", AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_REFRESH_TOKEN));
    }

    /* JADX WARN: Failed to calculate best type for var: r16v1 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.calculateFromBounds(FixTypesVisitor.java:156)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.setBestType(FixTypesVisitor.java:133)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.deduceType(FixTypesVisitor.java:238)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.tryDeduceTypes(FixTypesVisitor.java:221)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Failed to calculate best type for var: r16v1 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.calculateFromBounds(TypeInferenceVisitor.java:145)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.setBestType(TypeInferenceVisitor.java:123)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.lambda$runTypePropagation$2(TypeInferenceVisitor.java:101)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.runTypePropagation(TypeInferenceVisitor.java:101)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.visit(TypeInferenceVisitor.java:75)
     */
    /* JADX WARN: Failed to calculate best type for var: r17v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.calculateFromBounds(FixTypesVisitor.java:156)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.setBestType(FixTypesVisitor.java:133)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.deduceType(FixTypesVisitor.java:238)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.tryDeduceTypes(FixTypesVisitor.java:221)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Failed to calculate best type for var: r17v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.calculateFromBounds(TypeInferenceVisitor.java:145)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.setBestType(TypeInferenceVisitor.java:123)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.lambda$runTypePropagation$2(TypeInferenceVisitor.java:101)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.runTypePropagation(TypeInferenceVisitor.java:101)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.visit(TypeInferenceVisitor.java:75)
     */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.RegisterArg.getSVar()" because the return value of "jadx.core.dex.nodes.InsnNode.getResult()" is null
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.collectRelatedVars(AbstractTypeConstraint.java:31)
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.<init>(AbstractTypeConstraint.java:19)
    	at jadx.core.dex.visitors.typeinference.TypeSearch$1.<init>(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeMoveConstraint(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeConstraint(TypeSearch.java:361)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.collectConstraints(TypeSearch.java:341)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.run(TypeSearch.java:60)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.runMultiVariableSearch(FixTypesVisitor.java:116)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Not initialized variable reg: 16, insn: 0x0277: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r16 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:59:0x0277 */
    /* JADX WARN: Not initialized variable reg: 17, insn: 0x027c: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r17 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:61:0x027c */
    /* JADX WARN: Type inference failed for: r16v1, types: [org.keycloak.vault.VaultStringSecret] */
    /* JADX WARN: Type inference failed for: r17v0, types: [java.lang.Throwable] */
    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected Response exchangeSessionToken(UriInfo uriInfo, EventBuilder eventBuilder, ClientModel clientModel, UserSessionModel userSessionModel, UserModel userModel) {
        String note = userSessionModel.getNote(AbstractOAuth2IdentityProvider.FEDERATED_REFRESH_TOKEN);
        String note2 = userSessionModel.getNote("FEDERATED_ACCESS_TOKEN");
        userSessionModel.getNote(FEDERATED_ID_TOKEN);
        if (note2 == null) {
            eventBuilder.detail("reason", "requested_issuer is not linked");
            eventBuilder.error("invalid_token");
            return exchangeTokenExpired(uriInfo, clientModel, userSessionModel, userModel);
        }
        try {
            try {
                VaultStringSecret stringSecret = this.session.vault().getStringSecret(m135getConfig().getClientSecret());
                Throwable th = null;
                long parseLong = Long.parseLong(userSessionModel.getNote(AbstractOAuth2IdentityProvider.FEDERATED_TOKEN_EXPIRATION));
                if (parseLong == 0 || parseLong > Time.currentTime()) {
                    AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
                    accessTokenResponse.setExpiresIn(parseLong);
                    accessTokenResponse.setToken(note2);
                    accessTokenResponse.setIdToken((String) null);
                    accessTokenResponse.setRefreshToken((String) null);
                    accessTokenResponse.setRefreshExpiresIn(0L);
                    accessTokenResponse.getOtherClaims().put("issued_token_type", "urn:ietf:params:oauth:token-type:access_token");
                    accessTokenResponse.getOtherClaims().put("account-link-url", getLinkingUrl(uriInfo, clientModel, userSessionModel));
                    eventBuilder.success();
                    Response build = Response.ok(accessTokenResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
                    if (stringSecret != null) {
                        if (0 != 0) {
                            try {
                                stringSecret.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            stringSecret.close();
                        }
                    }
                    return build;
                }
                String asString = getRefreshTokenRequest(this.session, note, m135getConfig().getClientId(), (String) stringSecret.get().orElse(m135getConfig().getClientSecret())).asString();
                if (asString.contains(WebAuthnConstants.ERROR)) {
                    logger.debugv("Error refreshing token, refresh token expiration?: {0}", asString);
                    eventBuilder.detail("reason", "requested_issuer token expired");
                    eventBuilder.error("invalid_token");
                    Response exchangeTokenExpired = exchangeTokenExpired(uriInfo, clientModel, userSessionModel, userModel);
                    if (stringSecret != null) {
                        if (0 != 0) {
                            try {
                                stringSecret.close();
                            } catch (Throwable th3) {
                                th.addSuppressed(th3);
                            }
                        } else {
                            stringSecret.close();
                        }
                    }
                    return exchangeTokenExpired;
                }
                AccessTokenResponse accessTokenResponse2 = (AccessTokenResponse) JsonSerialization.readValue(asString, AccessTokenResponse.class);
                userSessionModel.setNote(AbstractOAuth2IdentityProvider.FEDERATED_TOKEN_EXPIRATION, Long.toString(accessTokenResponse2.getExpiresIn() > 0 ? Time.currentTime() + accessTokenResponse2.getExpiresIn() : 0L));
                userSessionModel.setNote(AbstractOAuth2IdentityProvider.FEDERATED_REFRESH_TOKEN, accessTokenResponse2.getRefreshToken());
                userSessionModel.setNote("FEDERATED_ACCESS_TOKEN", accessTokenResponse2.getToken());
                userSessionModel.setNote(FEDERATED_ID_TOKEN, accessTokenResponse2.getIdToken());
                accessTokenResponse2.setIdToken((String) null);
                accessTokenResponse2.setRefreshToken((String) null);
                accessTokenResponse2.setRefreshExpiresIn(0L);
                accessTokenResponse2.getOtherClaims().clear();
                accessTokenResponse2.getOtherClaims().put("issued_token_type", "urn:ietf:params:oauth:token-type:access_token");
                accessTokenResponse2.getOtherClaims().put("account-link-url", getLinkingUrl(uriInfo, clientModel, userSessionModel));
                eventBuilder.success();
                Response build2 = Response.ok(accessTokenResponse2).type(MediaType.APPLICATION_JSON_TYPE).build();
                if (stringSecret != null) {
                    if (0 != 0) {
                        try {
                            stringSecret.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        stringSecret.close();
                    }
                }
                return build2;
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
        throw new RuntimeException(e);
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    public BrokeredIdentityContext getFederatedIdentity(String str) {
        try {
            AccessTokenResponse accessTokenResponse = (AccessTokenResponse) JsonSerialization.readValue(str, AccessTokenResponse.class);
            String verifyAccessToken = verifyAccessToken(accessTokenResponse);
            JsonWebToken validateToken = validateToken(accessTokenResponse.getIdToken());
            try {
                BrokeredIdentityContext extractIdentity = extractIdentity(accessTokenResponse, verifyAccessToken, validateToken);
                if (!extractIdentity.getId().equals(validateToken.getSubject())) {
                    throw new IdentityBrokerException("Mismatch between the subject in the id_token and the subject from the user_info endpoint");
                }
                extractIdentity.getContextData().put(BROKER_NONCE_PARAM, validateToken.getOtherClaims().get("nonce"));
                if (m135getConfig().isStoreToken()) {
                    if (accessTokenResponse.getExpiresIn() > 0) {
                        accessTokenResponse.getOtherClaims().put(ACCESS_TOKEN_EXPIRATION, Long.valueOf(Time.currentTime() + accessTokenResponse.getExpiresIn()));
                        str = JsonSerialization.writeValueAsString(accessTokenResponse);
                    }
                    extractIdentity.setToken(str);
                }
                return extractIdentity;
            } catch (Exception e) {
                throw new IdentityBrokerException("Could not fetch attributes from userinfo endpoint.", e);
            }
        } catch (IOException e2) {
            throw new IdentityBrokerException("Could not decode access token response.", e2);
        }
    }

    protected BrokeredIdentityContext extractIdentity(AccessTokenResponse accessTokenResponse, String str, JsonWebToken jsonWebToken) throws IOException {
        String userInfoUrl;
        MediaType mediaType;
        JsonNode jsonNode;
        String subject = jsonWebToken.getSubject();
        BrokeredIdentityContext brokeredIdentityContext = new BrokeredIdentityContext(subject);
        String str2 = (String) jsonWebToken.getOtherClaims().get("name");
        String str3 = (String) jsonWebToken.getOtherClaims().get(getusernameClaimNameForIdToken());
        String str4 = (String) jsonWebToken.getOtherClaims().get("email");
        if (!m135getConfig().isDisableUserInfoService() && (userInfoUrl = getUserInfoUrl()) != null && !userInfoUrl.isEmpty() && ((subject == null || str2 == null || str3 == null || str4 == null) && str != null)) {
            SimpleHttp.Response executeRequest = executeRequest(userInfoUrl, SimpleHttp.doGet(userInfoUrl, this.session).header(Cors.AUTHORIZATION_HEADER, "Bearer " + str));
            String firstHeader = executeRequest.getFirstHeader("Content-Type");
            try {
                mediaType = MediaType.valueOf(firstHeader);
            } catch (IllegalArgumentException e) {
                mediaType = null;
            }
            if (mediaType == null || mediaType.isWildcardSubtype() || mediaType.isWildcardType()) {
                throw new RuntimeException("Unsupported content-type [" + firstHeader + "] in response from [" + userInfoUrl + "].");
            }
            if (MediaType.APPLICATION_JSON_TYPE.isCompatible(mediaType)) {
                jsonNode = executeRequest.asJson();
            } else {
                if (!APPLICATION_JWT_TYPE.isCompatible(mediaType)) {
                    throw new RuntimeException("Unsupported content-type [" + firstHeader + "] in response from [" + userInfoUrl + "].");
                }
                try {
                    JWSInput jWSInput = new JWSInput(executeRequest.asString());
                    if (!verify(jWSInput)) {
                        throw new RuntimeException("Failed to verify signature of userinfo response from [" + userInfoUrl + "].");
                    }
                    jsonNode = (JsonNode) JsonSerialization.readValue(jWSInput.getContent(), JsonNode.class);
                } catch (JWSInputException e2) {
                    throw new RuntimeException("Failed to parse JWT userinfo response", e2);
                }
            }
            subject = getJsonProperty(jsonNode, "sub");
            str2 = getJsonProperty(jsonNode, "name");
            str3 = getUsernameFromUserInfo(jsonNode);
            str4 = getJsonProperty(jsonNode, "email");
            AbstractJsonUserAttributeMapper.storeUserProfileForMapper(brokeredIdentityContext, jsonNode, m135getConfig().getAlias());
        }
        brokeredIdentityContext.getContextData().put(VALIDATED_ID_TOKEN, jsonWebToken);
        brokeredIdentityContext.setId(subject);
        brokeredIdentityContext.setName(str2);
        brokeredIdentityContext.setEmail(str4);
        brokeredIdentityContext.setBrokerUserId(m135getConfig().getAlias() + "." + subject);
        if (str3 == null) {
            str3 = str4;
        }
        if (str3 == null) {
            str3 = subject;
        }
        brokeredIdentityContext.setUsername(str3);
        if (accessTokenResponse != null && accessTokenResponse.getSessionState() != null) {
            brokeredIdentityContext.setBrokerSessionId(m135getConfig().getAlias() + "." + accessTokenResponse.getSessionState());
        }
        if (accessTokenResponse != null) {
            brokeredIdentityContext.getContextData().put(FEDERATED_ACCESS_TOKEN_RESPONSE, accessTokenResponse);
        }
        if (accessTokenResponse != null) {
            processAccessTokenResponse(brokeredIdentityContext, accessTokenResponse);
        }
        return brokeredIdentityContext;
    }

    protected String getusernameClaimNameForIdToken() {
        return "preferred_username";
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getUserInfoUrl() {
        return m135getConfig().getUserInfoUrl();
    }

    private SimpleHttp.Response executeRequest(String str, SimpleHttp simpleHttp) throws IOException {
        SimpleHttp.Response asResponse = simpleHttp.asResponse();
        if (asResponse.getStatus() == 200) {
            return asResponse;
        }
        String str2 = "failed to invoke url [" + str + "]";
        try {
            String asString = asResponse.asString();
            if (asString != null) {
                str2 = asString;
            }
        } catch (IOException e) {
        }
        throw new IdentityBrokerException("Failed to invoke url [" + str + "]: " + str2);
    }

    private String verifyAccessToken(AccessTokenResponse accessTokenResponse) {
        String token = accessTokenResponse.getToken();
        if (token == null) {
            throw new IdentityBrokerException("No access_token from server.");
        }
        return token;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean verify(JWSInput jWSInput) {
        if (!m135getConfig().isValidateSignature()) {
            return true;
        }
        try {
            PublicKey identityProviderPublicKey = PublicKeyStorageManager.getIdentityProviderPublicKey(this.session, this.session.getContext().getRealm(), m135getConfig(), jWSInput);
            if (identityProviderPublicKey != null) {
                if (RSAProvider.verify(jWSInput, identityProviderPublicKey)) {
                    return true;
                }
            }
            return false;
        } catch (Exception e) {
            logger.debug("Failed to verify token", e);
            return false;
        }
    }

    protected JsonWebToken validateToken(String str) {
        return validateToken(str, false);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public JsonWebToken validateToken(String str, boolean z) {
        if (str == null) {
            throw new IdentityBrokerException("No token from server.");
        }
        try {
            JWSInput jWSInput = new JWSInput(str);
            if (!verify(jWSInput)) {
                throw new IdentityBrokerException("token signature validation failed");
            }
            JsonWebToken jsonWebToken = (JsonWebToken) jWSInput.readJsonContent(JsonWebToken.class);
            String issuer = jsonWebToken.getIssuer();
            if (!jsonWebToken.isActive(m135getConfig().getAllowedClockSkew())) {
                throw new IdentityBrokerException("Token is no longer valid");
            }
            if (!z && !jsonWebToken.hasAudience(m135getConfig().getClientId())) {
                throw new IdentityBrokerException("Wrong audience from token.");
            }
            if (!z && jsonWebToken.getIssuedFor() != null && !m135getConfig().getClientId().equals(jsonWebToken.getIssuedFor())) {
                throw new IdentityBrokerException("Token issued for does not match client id");
            }
            String issuer2 = m135getConfig().getIssuer();
            if (issuer2 == null || issuer2.length() <= 0) {
                return jsonWebToken;
            }
            for (String str2 : issuer2.split(",")) {
                if (issuer != null && issuer.equals(str2.trim())) {
                    return jsonWebToken;
                }
            }
            throw new IdentityBrokerException("Wrong issuer from token. Got: " + issuer + " expected: " + m135getConfig().getIssuer());
        } catch (JWSInputException e) {
            throw new IdentityBrokerException("Invalid token", e);
        }
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    public void authenticationFinished(AuthenticationSessionModel authenticationSessionModel, BrokeredIdentityContext brokeredIdentityContext) {
        AccessTokenResponse accessTokenResponse = (AccessTokenResponse) brokeredIdentityContext.getContextData().get(FEDERATED_ACCESS_TOKEN_RESPONSE);
        authenticationSessionModel.setUserSessionNote(AbstractOAuth2IdentityProvider.FEDERATED_TOKEN_EXPIRATION, Long.toString(accessTokenResponse.getExpiresIn() > 0 ? accessTokenResponse.getExpiresIn() + Time.currentTime() : 0L));
        authenticationSessionModel.setUserSessionNote(AbstractOAuth2IdentityProvider.FEDERATED_REFRESH_TOKEN, accessTokenResponse.getRefreshToken());
        authenticationSessionModel.setUserSessionNote("FEDERATED_ACCESS_TOKEN", accessTokenResponse.getToken());
        authenticationSessionModel.setUserSessionNote(FEDERATED_ID_TOKEN, accessTokenResponse.getIdToken());
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected String getDefaultScopes() {
        return SCOPE_OPENID;
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    public boolean isIssuer(String str, MultivaluedMap<String, String> multivaluedMap) {
        if (!supportsExternalExchange()) {
            return false;
        }
        String str2 = (String) multivaluedMap.getFirst("subject_issuer");
        if (str2 == null) {
            str2 = str;
        }
        if (str2.equals(m135getConfig().getAlias())) {
            return true;
        }
        for (String str3 : m135getConfig().getIssuer().split(",")) {
            if (str2.equals(str3.trim())) {
                return true;
            }
        }
        return false;
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected boolean supportsExternalExchange() {
        return true;
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected String getProfileEndpointForValidation(EventBuilder eventBuilder) {
        String userInfoUrl = getUserInfoUrl();
        if (!m135getConfig().isDisableUserInfoService() && userInfoUrl != null && !userInfoUrl.isEmpty()) {
            return userInfoUrl;
        }
        eventBuilder.detail("reason", "user info service disabled");
        eventBuilder.error("invalid_token");
        throw new ErrorResponseException("invalid_token", "invalid token", Response.Status.BAD_REQUEST);
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected BrokeredIdentityContext extractIdentityFromProfile(EventBuilder eventBuilder, JsonNode jsonNode) {
        String jsonProperty = getJsonProperty(jsonNode, "sub");
        if (jsonProperty == null) {
            eventBuilder.detail("reason", "sub claim is null from user info json");
            eventBuilder.error("invalid_token");
            throw new ErrorResponseException("invalid_token", "invalid token", Response.Status.BAD_REQUEST);
        }
        BrokeredIdentityContext brokeredIdentityContext = new BrokeredIdentityContext(jsonProperty);
        String jsonProperty2 = getJsonProperty(jsonNode, "name");
        String usernameFromUserInfo = getUsernameFromUserInfo(jsonNode);
        String jsonProperty3 = getJsonProperty(jsonNode, "email");
        AbstractJsonUserAttributeMapper.storeUserProfileForMapper(brokeredIdentityContext, jsonNode, m135getConfig().getAlias());
        brokeredIdentityContext.setId(jsonProperty);
        brokeredIdentityContext.setName(jsonProperty2);
        brokeredIdentityContext.setEmail(jsonProperty3);
        brokeredIdentityContext.setBrokerUserId(m135getConfig().getAlias() + "." + jsonProperty);
        if (usernameFromUserInfo == null) {
            usernameFromUserInfo = jsonProperty3;
        }
        if (usernameFromUserInfo == null) {
            usernameFromUserInfo = jsonProperty;
        }
        brokeredIdentityContext.setUsername(usernameFromUserInfo);
        return brokeredIdentityContext;
    }

    protected String getUsernameFromUserInfo(JsonNode jsonNode) {
        return getJsonProperty(jsonNode, "preferred_username");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final BrokeredIdentityContext validateJwt(EventBuilder eventBuilder, String str, String str2) {
        if (!m135getConfig().isValidateSignature()) {
            return validateExternalTokenThroughUserInfo(eventBuilder, str, str2);
        }
        eventBuilder.detail("validation_method", WebAuthnConstants.SIGNATURE);
        if (m135getConfig().isUseJwksUrl()) {
            if (m135getConfig().getJwksUrl() == null) {
                eventBuilder.detail("reason", "jwks url unset");
                eventBuilder.error("invalid_config");
                throw new ErrorResponseException("invalid_config", "Invalid server config", Response.Status.BAD_REQUEST);
            }
        } else if (m135getConfig().getPublicKeySignatureVerifier() == null) {
            eventBuilder.detail("reason", "public key unset");
            eventBuilder.error("invalid_config");
            throw new ErrorResponseException("invalid_config", "Invalid server config", Response.Status.BAD_REQUEST);
        }
        try {
            JsonWebToken validateToken = validateToken(str, true);
            try {
                boolean equals = "urn:ietf:params:oauth:token-type:id_token".equals(str2);
                BrokeredIdentityContext extractIdentity = extractIdentity(null, equals ? null : str, validateToken);
                if (extractIdentity == null) {
                    eventBuilder.detail("reason", "Failed to extract identity from token");
                    eventBuilder.error("invalid_token");
                    throw new ErrorResponseException("invalid_token", "invalid token", Response.Status.BAD_REQUEST);
                }
                if (equals) {
                    extractIdentity.getContextData().put(VALIDATED_ID_TOKEN, str);
                } else {
                    extractIdentity.getContextData().put(KeycloakOIDCIdentityProvider.VALIDATED_ACCESS_TOKEN, validateToken);
                }
                extractIdentity.getContextData().put(EXCHANGE_PROVIDER, m135getConfig().getAlias());
                extractIdentity.setIdp(this);
                extractIdentity.setIdpConfig(m135getConfig());
                return extractIdentity;
            } catch (IOException e) {
                logger.debug("Unable to extract identity from identity token", e);
                throw new ErrorResponseException("invalid_token", "invalid token", Response.Status.BAD_REQUEST);
            }
        } catch (IdentityBrokerException e2) {
            logger.debug("Unable to validate token for exchange", e2);
            eventBuilder.detail("reason", "token validation failure");
            eventBuilder.error("invalid_token");
            throw new ErrorResponseException("invalid_token", "invalid token", Response.Status.BAD_REQUEST);
        }
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected BrokeredIdentityContext exchangeExternalImpl(EventBuilder eventBuilder, MultivaluedMap<String, String> multivaluedMap) {
        if (!supportsExternalExchange()) {
            return null;
        }
        String str = (String) multivaluedMap.getFirst("subject_token");
        if (str == null) {
            eventBuilder.detail("reason", "subject_token param unset");
            eventBuilder.error("invalid_token");
            throw new ErrorResponseException("invalid_token", "token not set", Response.Status.BAD_REQUEST);
        }
        String str2 = (String) multivaluedMap.getFirst("subject_token_type");
        if (str2 == null) {
            str2 = "urn:ietf:params:oauth:token-type:access_token";
        }
        if (AuthorizationTokenService.CLAIM_TOKEN_FORMAT_JWT.equals(str2) || "urn:ietf:params:oauth:token-type:id_token".equals(str2)) {
            return validateJwt(eventBuilder, str, str2);
        }
        if ("urn:ietf:params:oauth:token-type:access_token".equals(str2)) {
            return validateExternalTokenThroughUserInfo(eventBuilder, str, str2);
        }
        eventBuilder.detail("reason", "subject_token_type invalid");
        eventBuilder.error("invalid_token_type");
        throw new ErrorResponseException("invalid_token", "invalid token type", Response.Status.BAD_REQUEST);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    public UriBuilder createAuthorizationUrl(AuthenticationRequest authenticationRequest) {
        UriBuilder createAuthorizationUrl = super.createAuthorizationUrl(authenticationRequest);
        String encode = Base64Url.encode(KeycloakModelUtils.generateSecret(16));
        authenticationRequest.getAuthenticationSession().setClientNote(BROKER_NONCE_PARAM, encode);
        createAuthorizationUrl.queryParam("nonce", new Object[]{encode});
        return createAuthorizationUrl;
    }

    public void preprocessFederatedIdentity(KeycloakSession keycloakSession, RealmModel realmModel, BrokeredIdentityContext brokeredIdentityContext) {
        AuthenticationSessionModel authenticationSession = keycloakSession.getContext().getAuthenticationSession();
        if (authenticationSession == null) {
            return;
        }
        String str = (String) brokeredIdentityContext.getContextData().get(BROKER_NONCE_PARAM);
        if (str == null) {
            throw new IdentityBrokerException("OpenID Provider [" + m135getConfig().getProviderId() + "] did not return a nonce");
        }
        if (!str.equals(authenticationSession.getClientNote(BROKER_NONCE_PARAM))) {
            throw new ErrorResponseException("invalid_token", "invalid nonce", Response.Status.BAD_REQUEST);
        }
    }
}
