package org.keycloak.authentication.actiontoken.resetcred;

import javax.ws.rs.core.Response;
import org.keycloak.TokenVerifier;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.authentication.actiontoken.AbstractActionTokenHander;
import org.keycloak.authentication.actiontoken.ActionTokenContext;
import org.keycloak.authentication.actiontoken.TokenUtils;
import org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator;
import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext;
import org.keycloak.events.EventType;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.LoginActionsService;
import org.keycloak.services.resources.LoginActionsServiceChecks;
import org.keycloak.sessions.CommonClientSessionModel;

/* loaded from: input_file:org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.class */
public class ResetCredentialsActionTokenHandler extends AbstractActionTokenHander<ResetCredentialsActionToken> {

    /* loaded from: input_file:org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler$ResetCredsAuthenticationProcessor.class */
    public static class ResetCredsAuthenticationProcessor extends AuthenticationProcessor {
        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.keycloak.authentication.AuthenticationProcessor
        public Response authenticationComplete() {
            if (!(this.authenticationSession.getAuthNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE) != null)) {
                return super.authenticationComplete();
            }
            UserModel existingUser = AbstractIdpAuthenticator.getExistingUser(this.session, this.realm, this.authenticationSession);
            SerializedBrokeredIdentityContext readFromAuthenticationSession = SerializedBrokeredIdentityContext.readFromAuthenticationSession(this.authenticationSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
            this.authenticationSession.setAuthNote(AbstractIdpAuthenticator.FIRST_BROKER_LOGIN_SUCCESS, readFromAuthenticationSession.getIdentityProviderId());
            logger.debugf("Forget-password flow finished when authenticated user '%s' after first broker login with identity provider '%s'.", existingUser.getUsername(), readFromAuthenticationSession.getIdentityProviderId());
            return LoginActionsService.redirectToAfterBrokerLoginEndpoint(this.session, this.realm, this.uriInfo, this.authenticationSession, true);
        }
    }

    public ResetCredentialsActionTokenHandler() {
        super("reset-credentials", ResetCredentialsActionToken.class, Messages.RESET_CREDENTIAL_NOT_ALLOWED, EventType.RESET_PASSWORD, "not_allowed");
    }

    @Override // org.keycloak.authentication.actiontoken.ActionTokenHandler
    public TokenVerifier.Predicate<? super ResetCredentialsActionToken>[] getVerifiers(ActionTokenContext<ResetCredentialsActionToken> actionTokenContext) {
        RealmModel realm = actionTokenContext.getRealm();
        realm.getClass();
        return new TokenVerifier.Predicate[]{TokenUtils.checkThat(realm::isResetPasswordAllowed, "not_allowed", Messages.RESET_CREDENTIAL_NOT_ALLOWED), new LoginActionsServiceChecks.IsActionRequired(actionTokenContext, CommonClientSessionModel.Action.AUTHENTICATE)};
    }

    @Override // org.keycloak.authentication.actiontoken.ActionTokenHandler
    public Response handleToken(ResetCredentialsActionToken resetCredentialsActionToken, ActionTokenContext actionTokenContext) {
        return actionTokenContext.processFlow(false, "reset-credentials", actionTokenContext.getRealm().getResetCredentialsFlow(), null, new ResetCredsAuthenticationProcessor());
    }

    @Override // org.keycloak.authentication.actiontoken.AbstractActionTokenHander, org.keycloak.authentication.actiontoken.ActionTokenHandler
    public boolean canUseTokenRepeatedly(ResetCredentialsActionToken resetCredentialsActionToken, ActionTokenContext actionTokenContext) {
        return false;
    }
}
