package org.keycloak.protocol.oidc.grants.ciba.endpoints.request;

import com.fasterxml.jackson.databind.JsonNode;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Objects;
import java.util.Set;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.jose.JOSEParser;
import org.keycloak.jose.jwe.JWE;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.jose.jws.JWSHeader;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.models.CibaConfig;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;

/* loaded from: input_file:org/keycloak/protocol/oidc/grants/ciba/endpoints/request/BackchannelAuthenticationEndpointSignedRequestParser.class */
class BackchannelAuthenticationEndpointSignedRequestParser extends BackchannelAuthenticationEndpointRequestParser {
    private final JsonNode requestParams;

    public BackchannelAuthenticationEndpointSignedRequestParser(KeycloakSession keycloakSession, String str, ClientModel clientModel, CibaConfig cibaConfig) throws Exception {
        JWSInput parse = JOSEParser.parse(str);
        if (parse instanceof JWE) {
            throw new RuntimeException("Encrypted request object is not allowed");
        }
        JWSHeader header = parse.getHeader();
        Algorithm algorithm = header.getAlgorithm();
        Algorithm backchannelAuthRequestSigningAlg = cibaConfig.getBackchannelAuthRequestSigningAlg(clientModel);
        if (algorithm == null) {
            throw new RuntimeException("Signed algorithm not specified");
        }
        if (header.getAlgorithm() == Algorithm.none) {
            throw new RuntimeException("None signed algorithm is not allowed");
        }
        SignatureProvider provider = keycloakSession.getProvider(SignatureProvider.class, algorithm.name());
        if (provider == null) {
            throw new RuntimeException("Not found provider for the algorithm " + algorithm.name());
        }
        if (!provider.isAsymmetricAlgorithm()) {
            throw new RuntimeException("Signed algorithm is not allowed");
        }
        if (backchannelAuthRequestSigningAlg == null || backchannelAuthRequestSigningAlg != algorithm) {
            throw new RuntimeException("Client requested algorithm not registered in advance or request signed with different algorithm other than client requested algorithm");
        }
        this.requestParams = (JsonNode) keycloakSession.tokens().decodeClientJWT(str, clientModel, JsonNode.class);
        if (this.requestParams == null) {
            throw new RuntimeException("Failed to verify signature");
        }
        keycloakSession.setAttribute(BackchannelAuthenticationEndpointRequestParser.CIBA_SIGNED_AUTHENTICATION_REQUEST, this.requestParams);
    }

    @Override // org.keycloak.protocol.oidc.grants.ciba.endpoints.request.BackchannelAuthenticationEndpointRequestParser
    protected String getParameter(String str) {
        JsonNode jsonNode = this.requestParams.get(str);
        if (jsonNode == null) {
            return null;
        }
        return jsonNode.isValueNode() ? jsonNode.asText() : jsonNode.toString();
    }

    @Override // org.keycloak.protocol.oidc.grants.ciba.endpoints.request.BackchannelAuthenticationEndpointRequestParser
    protected Integer getIntParameter(String str) {
        if (this.requestParams.get(str) == null) {
            return null;
        }
        return Integer.valueOf(Integer.parseInt(getParameter(str)));
    }

    @Override // org.keycloak.protocol.oidc.grants.ciba.endpoints.request.BackchannelAuthenticationEndpointRequestParser
    protected Set<String> keySet() {
        HashSet hashSet = new HashSet();
        Iterator fieldNames = this.requestParams.fieldNames();
        Objects.requireNonNull(hashSet);
        fieldNames.forEachRemaining((v1) -> {
            r1.add(v1);
        });
        return hashSet;
    }
}
