package org.keycloak.protocol.oidc;

import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.RestartLoginCookie;
import org.keycloak.protocol.oidc.utils.OIDCRedirectUriBuilder;
import org.keycloak.protocol.oidc.utils.OIDCResponseMode;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.managers.ResourceAdminManager;

/* loaded from: input_file:org/keycloak/protocol/oidc/OIDCLoginProtocol.class */
public class OIDCLoginProtocol implements LoginProtocol {
    public static final String LOGIN_PROTOCOL = "openid-connect";
    public static final String STATE_PARAM = "state";
    public static final String LOGOUT_STATE_PARAM = "OIDC_LOGOUT_STATE_PARAM";
    public static final String SCOPE_PARAM = "scope";
    public static final String CODE_PARAM = "code";
    public static final String RESPONSE_TYPE_PARAM = "response_type";
    public static final String GRANT_TYPE_PARAM = "grant_type";
    public static final String REDIRECT_URI_PARAM = "redirect_uri";
    public static final String CLIENT_ID_PARAM = "client_id";
    public static final String NONCE_PARAM = "nonce";
    public static final String PROMPT_PARAM = "prompt";
    public static final String LOGIN_HINT_PARAM = "login_hint";
    public static final String LOGOUT_REDIRECT_URI = "OIDC_LOGOUT_REDIRECT_URI";
    public static final String ISSUER = "iss";
    public static final String RESPONSE_MODE_PARAM = "response_mode";
    private static final Logger log = Logger.getLogger(OIDCLoginProtocol.class);
    protected KeycloakSession session;
    protected RealmModel realm;
    protected UriInfo uriInfo;
    protected HttpHeaders headers;
    protected EventBuilder event;
    protected OIDCResponseType responseType;
    protected OIDCResponseMode responseMode;

    public OIDCLoginProtocol(KeycloakSession keycloakSession, RealmModel realmModel, UriInfo uriInfo, HttpHeaders httpHeaders, EventBuilder eventBuilder) {
        this.session = keycloakSession;
        this.realm = realmModel;
        this.uriInfo = uriInfo;
        this.headers = httpHeaders;
        this.event = eventBuilder;
    }

    public OIDCLoginProtocol() {
    }

    private void setupResponseTypeAndMode(ClientSessionModel clientSessionModel) {
        String note = clientSessionModel.getNote(RESPONSE_TYPE_PARAM);
        String note2 = clientSessionModel.getNote(RESPONSE_MODE_PARAM);
        this.responseType = OIDCResponseType.parse(note);
        this.responseMode = OIDCResponseMode.parse(note2, this.responseType);
        this.event.detail(RESPONSE_TYPE_PARAM, note);
        this.event.detail(RESPONSE_MODE_PARAM, this.responseMode.toString().toLowerCase());
    }

    @Override // org.keycloak.protocol.LoginProtocol
    public OIDCLoginProtocol setSession(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
        return this;
    }

    @Override // org.keycloak.protocol.LoginProtocol
    public OIDCLoginProtocol setRealm(RealmModel realmModel) {
        this.realm = realmModel;
        return this;
    }

    @Override // org.keycloak.protocol.LoginProtocol
    public OIDCLoginProtocol setUriInfo(UriInfo uriInfo) {
        this.uriInfo = uriInfo;
        return this;
    }

    @Override // org.keycloak.protocol.LoginProtocol
    public OIDCLoginProtocol setHttpHeaders(HttpHeaders httpHeaders) {
        this.headers = httpHeaders;
        return this;
    }

    @Override // org.keycloak.protocol.LoginProtocol
    public OIDCLoginProtocol setEventBuilder(EventBuilder eventBuilder) {
        this.event = eventBuilder;
        return this;
    }

    @Override // org.keycloak.protocol.LoginProtocol
    public Response authenticated(UserSessionModel userSessionModel, ClientSessionCode clientSessionCode) {
        ClientSessionModel clientSession = clientSessionCode.getClientSession();
        setupResponseTypeAndMode(clientSession);
        OIDCRedirectUriBuilder fromUri = OIDCRedirectUriBuilder.fromUri(clientSession.getRedirectUri(), this.responseMode);
        String note = clientSession.getNote(STATE_PARAM);
        log.debugv("redirectAccessCode: state: {0}", note);
        if (note != null) {
            fromUri.addParam(STATE_PARAM, note);
        }
        if (this.responseType.hasResponseType("code")) {
            clientSessionCode.setAction(ClientSessionModel.Action.CODE_TO_TOKEN.name());
            fromUri.addParam("code", clientSessionCode.getCode());
        }
        if (this.responseType.isImplicitOrHybridFlow()) {
            AccessTokenResponse build = new TokenManager().responseBuilder(this.realm, clientSession.getClient(), this.event, this.session, userSessionModel, clientSession).generateAccessToken().generateIDToken().build();
            if (this.responseType.hasResponseType(OIDCResponseType.ID_TOKEN)) {
                fromUri.addParam(OIDCResponseType.ID_TOKEN, build.getIdToken());
            }
            if (this.responseType.hasResponseType(OIDCResponseType.TOKEN)) {
                fromUri.addParam("access_token", build.getToken());
                fromUri.addParam("token_type", build.getTokenType());
                fromUri.addParam("session-state", build.getSessionState());
                fromUri.addParam("expires_in", String.valueOf(build.getExpiresIn()));
            }
            fromUri.addParam("not-before-policy", String.valueOf(build.getNotBeforePolicy()));
        }
        return fromUri.build();
    }

    @Override // org.keycloak.protocol.LoginProtocol
    public Response sendError(ClientSessionModel clientSessionModel, LoginProtocol.Error error) {
        setupResponseTypeAndMode(clientSessionModel);
        String redirectUri = clientSessionModel.getRedirectUri();
        String note = clientSessionModel.getNote(STATE_PARAM);
        OIDCRedirectUriBuilder addParam = OIDCRedirectUriBuilder.fromUri(redirectUri, this.responseMode).addParam("error", translateError(error));
        if (note != null) {
            addParam.addParam(STATE_PARAM, note);
        }
        this.session.sessions().removeClientSession(this.realm, clientSessionModel);
        RestartLoginCookie.expireRestartCookie(this.realm, this.session.getContext().getConnection(), this.uriInfo);
        return addParam.build();
    }

    private String translateError(LoginProtocol.Error error) {
        switch (error) {
            case CANCELLED_BY_USER:
            case CONSENT_DENIED:
                return "access_denied";
            case PASSIVE_INTERACTION_REQUIRED:
                return "interaction_required";
            case PASSIVE_LOGIN_REQUIRED:
                return "login_required";
            default:
                log.warn("Untranslated protocol Error: " + error.name() + " so we return default SAML error");
                return "access_denied";
        }
    }

    @Override // org.keycloak.protocol.LoginProtocol
    public void backchannelLogout(UserSessionModel userSessionModel, ClientSessionModel clientSessionModel) {
        new ResourceAdminManager(this.session).logoutClientSession(this.uriInfo.getRequestUri(), this.realm, clientSessionModel.getClient(), clientSessionModel);
    }

    @Override // org.keycloak.protocol.LoginProtocol
    public Response frontchannelLogout(UserSessionModel userSessionModel, ClientSessionModel clientSessionModel) {
        throw new RuntimeException("NOT IMPLEMENTED");
    }

    @Override // org.keycloak.protocol.LoginProtocol
    public Response finishLogout(UserSessionModel userSessionModel) {
        String note = userSessionModel.getNote(LOGOUT_REDIRECT_URI);
        String note2 = userSessionModel.getNote(LOGOUT_STATE_PARAM);
        this.event.event(EventType.LOGOUT);
        if (note != null) {
            this.event.detail(REDIRECT_URI_PARAM, note);
        }
        this.event.user(userSessionModel.getUser()).session(userSessionModel).success();
        if (note == null) {
            return Response.ok().build();
        }
        UriBuilder fromUri = UriBuilder.fromUri(note);
        if (note2 != null) {
            fromUri.queryParam(STATE_PARAM, new Object[]{note2});
        }
        return Response.status(302).location(fromUri.build(new Object[0])).build();
    }

    public void close() {
    }
}
