package org.keycloak.broker.oidc;

import java.io.IOException;
import java.security.PublicKey;
import java.util.Iterator;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.core.Response;
import org.keycloak.broker.oidc.OIDCIdentityProvider;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityProvider;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.events.EventBuilder;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.adapters.action.AdminAction;
import org.keycloak.representations.adapters.action.LogoutAction;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.class */
public class KeycloakOIDCIdentityProvider extends OIDCIdentityProvider {
    public static final String VALIDATED_ACCESS_TOKEN = "VALIDATED_ACCESS_TOKEN";

    /* loaded from: input_file:org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider$KeycloakEndpoint.class */
    protected class KeycloakEndpoint extends OIDCIdentityProvider.OIDCEndpoint {
        public KeycloakEndpoint(IdentityProvider.AuthenticationCallback authenticationCallback, RealmModel realmModel, EventBuilder eventBuilder) {
            super(authenticationCallback, realmModel, eventBuilder);
        }

        @POST
        @Path("k_logout")
        public Response backchannelLogout(String str) {
            try {
                JWSInput jWSInput = new JWSInput(str);
                PublicKey externalIdpKey = KeycloakOIDCIdentityProvider.this.getExternalIdpKey();
                if (externalIdpKey != null && !KeycloakOIDCIdentityProvider.this.verify(jWSInput, externalIdpKey)) {
                    OIDCIdentityProvider.logger.warn("Failed to verify logout request");
                    return Response.status(400).build();
                }
                try {
                    LogoutAction logoutAction = (LogoutAction) JsonSerialization.readValue(jWSInput.getContent(), LogoutAction.class);
                    if (!validateAction(logoutAction)) {
                        return Response.status(400).build();
                    }
                    if (logoutAction.getKeycloakSessionIds() != null) {
                        Iterator it = logoutAction.getKeycloakSessionIds().iterator();
                        while (it.hasNext()) {
                            UserSessionModel userSessionByBrokerSessionId = this.session.sessions().getUserSessionByBrokerSessionId(this.realm, KeycloakOIDCIdentityProvider.this.m76getConfig().getAlias() + "." + ((String) it.next()));
                            if (userSessionByBrokerSessionId != null && userSessionByBrokerSessionId.getState() != UserSessionModel.State.LOGGING_OUT && userSessionByBrokerSessionId.getState() != UserSessionModel.State.LOGGED_OUT) {
                                AuthenticationManager.backchannelLogout(this.session, this.realm, userSessionByBrokerSessionId, this.uriInfo, this.clientConnection, this.headers, false);
                            }
                        }
                    }
                    return Response.ok().build();
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            } catch (JWSInputException e2) {
                OIDCIdentityProvider.logger.warn("Failed to verify logout request");
                return Response.status(400).build();
            }
        }

        protected boolean validateAction(AdminAction adminAction) {
            if (!adminAction.validate()) {
                OIDCIdentityProvider.logger.warn("admin request failed, not validated" + adminAction.getAction());
                return false;
            }
            if (adminAction.isExpired()) {
                OIDCIdentityProvider.logger.warn("admin request failed, expired token");
                return false;
            }
            if (KeycloakOIDCIdentityProvider.this.m76getConfig().getClientId().equals(adminAction.getResource())) {
                return true;
            }
            OIDCIdentityProvider.logger.warn("Resource name does not match");
            return false;
        }

        @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.Endpoint
        public SimpleHttp generateTokenRequest(String str) {
            return super.generateTokenRequest(str).param("client_session_state", "n/a");
        }
    }

    public KeycloakOIDCIdentityProvider(OIDCIdentityProviderConfig oIDCIdentityProviderConfig) {
        super(oIDCIdentityProviderConfig);
    }

    @Override // org.keycloak.broker.oidc.OIDCIdentityProvider, org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    public Object callback(RealmModel realmModel, IdentityProvider.AuthenticationCallback authenticationCallback, EventBuilder eventBuilder) {
        return new KeycloakEndpoint(authenticationCallback, realmModel, eventBuilder);
    }

    @Override // org.keycloak.broker.oidc.OIDCIdentityProvider
    protected void processAccessTokenResponse(BrokeredIdentityContext brokeredIdentityContext, PublicKey publicKey, AccessTokenResponse accessTokenResponse) {
        brokeredIdentityContext.getContextData().put(VALIDATED_ACCESS_TOKEN, validateToken(publicKey, accessTokenResponse.getToken()));
    }
}
