package org.keycloak.broker.oidc;

import com.fasterxml.jackson.databind.JsonNode;
import java.io.IOException;
import java.security.PublicKey;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.keycloak.broker.oidc.mappers.AbstractJsonUserAttributeMapper;
import org.keycloak.broker.oidc.util.JsonSimpleHttp;
import org.keycloak.broker.provider.AuthenticationRequest;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.IdentityProvider;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.common.util.Time;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.keys.loader.PublicKeyStorageManager;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.Cors;
import org.keycloak.services.resources.IdentityBrokerService;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.social.stackoverflow.StackoverflowIdentityProvider;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/broker/oidc/OIDCIdentityProvider.class */
public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig> {
    protected static final Logger logger = Logger.getLogger(OIDCIdentityProvider.class);
    public static final String OAUTH2_PARAMETER_PROMPT = "prompt";
    public static final String SCOPE_OPENID = "openid";
    public static final String FEDERATED_ID_TOKEN = "FEDERATED_ID_TOKEN";
    public static final String USER_INFO = "UserInfo";
    public static final String FEDERATED_ACCESS_TOKEN_RESPONSE = "FEDERATED_ACCESS_TOKEN_RESPONSE";
    public static final String VALIDATED_ID_TOKEN = "VALIDATED_ID_TOKEN";

    /* loaded from: input_file:org/keycloak/broker/oidc/OIDCIdentityProvider$OIDCEndpoint.class */
    protected class OIDCEndpoint extends AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>.Endpoint {
        public OIDCEndpoint(IdentityProvider.AuthenticationCallback authenticationCallback, RealmModel realmModel, EventBuilder eventBuilder) {
            super(authenticationCallback, realmModel, eventBuilder);
        }

        @GET
        @Path("logout_response")
        public Response logoutResponse(@Context UriInfo uriInfo, @QueryParam("state") String str) {
            UserSessionModel userSession = this.session.sessions().getUserSession(this.realm, str);
            if (userSession == null) {
                OIDCIdentityProvider.logger.error("no valid user session");
                EventBuilder eventBuilder = new EventBuilder(this.realm, this.session, this.clientConnection);
                eventBuilder.event(EventType.LOGOUT);
                eventBuilder.error("user_session_not_found");
                return ErrorPage.error(this.session, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, new Object[0]);
            }
            if (userSession.getState() == UserSessionModel.State.LOGGING_OUT) {
                return AuthenticationManager.finishBrowserLogout(this.session, this.realm, userSession, uriInfo, this.clientConnection, this.headers);
            }
            OIDCIdentityProvider.logger.error("usersession in different state");
            EventBuilder eventBuilder2 = new EventBuilder(this.realm, this.session, this.clientConnection);
            eventBuilder2.event(EventType.LOGOUT);
            eventBuilder2.error("user_session_not_found");
            return ErrorPage.error(this.session, Messages.SESSION_NOT_ACTIVE, new Object[0]);
        }
    }

    public OIDCIdentityProvider(KeycloakSession keycloakSession, OIDCIdentityProviderConfig oIDCIdentityProviderConfig) {
        super(keycloakSession, oIDCIdentityProviderConfig);
        String defaultScope = oIDCIdentityProviderConfig.getDefaultScope();
        if (defaultScope.contains(SCOPE_OPENID)) {
            return;
        }
        oIDCIdentityProviderConfig.setDefaultScope("openid " + defaultScope);
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    public Object callback(RealmModel realmModel, IdentityProvider.AuthenticationCallback authenticationCallback, EventBuilder eventBuilder) {
        return new OIDCEndpoint(authenticationCallback, realmModel, eventBuilder);
    }

    public void backchannelLogout(KeycloakSession keycloakSession, UserSessionModel userSessionModel, UriInfo uriInfo, RealmModel realmModel) {
        String iDTokenForLogout;
        if (m93getConfig().getLogoutUrl() == null || m93getConfig().getLogoutUrl().trim().equals(StackoverflowIdentityProvider.DEFAULT_SCOPE) || !m93getConfig().isBackchannelSupported() || (iDTokenForLogout = getIDTokenForLogout(keycloakSession, userSessionModel)) == null) {
            return;
        }
        backchannelLogout(userSessionModel, iDTokenForLogout);
    }

    protected void backchannelLogout(UserSessionModel userSessionModel, String str) {
        UriBuilder queryParam = UriBuilder.fromUri(m93getConfig().getLogoutUrl()).queryParam("state", new Object[]{userSessionModel.getId()});
        queryParam.queryParam("id_token_hint", new Object[]{str});
        String uri = queryParam.build(new Object[0]).toString();
        try {
            int asStatus = JsonSimpleHttp.doGet(uri, this.session).asStatus();
            if (!(asStatus >= 200 && asStatus < 400)) {
                logger.warn("Failed backchannel broker logout to: " + uri);
            }
        } catch (Exception e) {
            logger.warn("Failed backchannel broker logout to: " + uri, e);
        }
    }

    public Response keycloakInitiatedBrowserLogout(KeycloakSession keycloakSession, UserSessionModel userSessionModel, UriInfo uriInfo, RealmModel realmModel) {
        if (m93getConfig().getLogoutUrl() == null || m93getConfig().getLogoutUrl().trim().equals(StackoverflowIdentityProvider.DEFAULT_SCOPE)) {
            return null;
        }
        String iDTokenForLogout = getIDTokenForLogout(keycloakSession, userSessionModel);
        if (iDTokenForLogout != null && m93getConfig().isBackchannelSupported()) {
            backchannelLogout(userSessionModel, iDTokenForLogout);
            return null;
        }
        UriBuilder queryParam = UriBuilder.fromUri(m93getConfig().getLogoutUrl()).queryParam("state", new Object[]{userSessionModel.getId()});
        if (iDTokenForLogout != null) {
            queryParam.queryParam("id_token_hint", new Object[]{iDTokenForLogout});
        }
        queryParam.queryParam("post_logout_redirect_uri", new Object[]{RealmsResource.brokerUrl(uriInfo).path(IdentityBrokerService.class, "getEndpoint").path(OIDCEndpoint.class, "logoutResponse").build(new Object[]{realmModel.getName(), m93getConfig().getAlias()}).toString()});
        return Response.status(302).location(queryParam.build(new Object[0])).build();
    }

    public String refreshToken(KeycloakSession keycloakSession, UserSessionModel userSessionModel) {
        try {
            return SimpleHttp.doPost(m93getConfig().getTokenUrl(), keycloakSession).param(AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_REFRESH_TOKEN, userSessionModel.getNote(AbstractOAuth2IdentityProvider.FEDERATED_REFRESH_TOKEN)).param("grant_type", AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_REFRESH_TOKEN).param("client_id", m93getConfig().getClientId()).param(AbstractOAuth2IdentityProvider.OAUTH2_PARAMETER_CLIENT_SECRET, m93getConfig().getClientSecret()).asString();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private String getIDTokenForLogout(KeycloakSession keycloakSession, UserSessionModel userSessionModel) {
        long parseLong = Long.parseLong(userSessionModel.getNote(AbstractOAuth2IdentityProvider.FEDERATED_TOKEN_EXPIRATION));
        int currentTime = Time.currentTime();
        if (parseLong <= 0 || currentTime <= parseLong) {
            return userSessionModel.getNote(FEDERATED_ID_TOKEN);
        }
        try {
            return ((AccessTokenResponse) JsonSerialization.readValue(refreshToken(keycloakSession, userSessionModel), AccessTokenResponse.class)).getIdToken();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    public UriBuilder createAuthorizationUrl(AuthenticationRequest authenticationRequest) {
        UriBuilder createAuthorizationUrl = super.createAuthorizationUrl(authenticationRequest);
        String prompt = m93getConfig().getPrompt();
        if (prompt != null && !prompt.isEmpty()) {
            createAuthorizationUrl.queryParam("prompt", new Object[]{prompt});
        }
        return createAuthorizationUrl;
    }

    protected void processAccessTokenResponse(BrokeredIdentityContext brokeredIdentityContext, AccessTokenResponse accessTokenResponse) {
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    public BrokeredIdentityContext getFederatedIdentity(String str) {
        String userInfoUrl;
        try {
            AccessTokenResponse accessTokenResponse = (AccessTokenResponse) JsonSerialization.readValue(str, AccessTokenResponse.class);
            String verifyAccessToken = verifyAccessToken(accessTokenResponse);
            JsonWebToken validateToken = validateToken(accessTokenResponse.getIdToken());
            try {
                String subject = validateToken.getSubject();
                BrokeredIdentityContext brokeredIdentityContext = new BrokeredIdentityContext(subject);
                String str2 = (String) validateToken.getOtherClaims().get("name");
                String str3 = (String) validateToken.getOtherClaims().get("preferred_username");
                String str4 = (String) validateToken.getOtherClaims().get("email");
                if (!m93getConfig().isDisableUserInfoService() && (userInfoUrl = getUserInfoUrl()) != null && !userInfoUrl.isEmpty() && (subject == null || str2 == null || str3 == null || str4 == null)) {
                    JsonNode asJson = JsonSimpleHttp.asJson(JsonSimpleHttp.doGet(userInfoUrl, this.session).header(Cors.AUTHORIZATION_HEADER, "Bearer " + verifyAccessToken));
                    subject = getJsonProperty(asJson, "sub");
                    str2 = getJsonProperty(asJson, "name");
                    str3 = getJsonProperty(asJson, "preferred_username");
                    str4 = getJsonProperty(asJson, "email");
                    AbstractJsonUserAttributeMapper.storeUserProfileForMapper(brokeredIdentityContext, asJson, m93getConfig().getAlias());
                }
                brokeredIdentityContext.getContextData().put(FEDERATED_ACCESS_TOKEN_RESPONSE, accessTokenResponse);
                brokeredIdentityContext.getContextData().put(VALIDATED_ID_TOKEN, validateToken);
                processAccessTokenResponse(brokeredIdentityContext, accessTokenResponse);
                brokeredIdentityContext.setId(subject);
                brokeredIdentityContext.setName(str2);
                brokeredIdentityContext.setEmail(str4);
                brokeredIdentityContext.setBrokerUserId(m93getConfig().getAlias() + "." + subject);
                if (accessTokenResponse.getSessionState() != null) {
                    brokeredIdentityContext.setBrokerSessionId(m93getConfig().getAlias() + "." + accessTokenResponse.getSessionState());
                }
                if (str3 == null) {
                    str3 = str4;
                }
                if (str3 == null) {
                    str3 = subject;
                }
                brokeredIdentityContext.setUsername(str3);
                if (m93getConfig().isStoreToken()) {
                    brokeredIdentityContext.setToken(str);
                }
                return brokeredIdentityContext;
            } catch (Exception e) {
                throw new IdentityBrokerException("Could not fetch attributes from userinfo endpoint.", e);
            }
        } catch (IOException e2) {
            throw new IdentityBrokerException("Could not decode access token response.", e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getUserInfoUrl() {
        return m93getConfig().getUserInfoUrl();
    }

    private String verifyAccessToken(AccessTokenResponse accessTokenResponse) {
        String token = accessTokenResponse.getToken();
        if (token == null) {
            throw new IdentityBrokerException("No access_token from server.");
        }
        return token;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean verify(JWSInput jWSInput) {
        if (!m93getConfig().isValidateSignature()) {
            return true;
        }
        PublicKey identityProviderPublicKey = PublicKeyStorageManager.getIdentityProviderPublicKey(this.session, this.session.getContext().getRealm(), m93getConfig(), jWSInput);
        return identityProviderPublicKey != null && RSAProvider.verify(jWSInput, identityProviderPublicKey);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public JsonWebToken validateToken(String str) {
        if (str == null) {
            throw new IdentityBrokerException("No token from server.");
        }
        try {
            JWSInput jWSInput = new JWSInput(str);
            if (!verify(jWSInput)) {
                throw new IdentityBrokerException("token signature validation failed");
            }
            JsonWebToken jsonWebToken = (JsonWebToken) jWSInput.readJsonContent(JsonWebToken.class);
            String issuer = jsonWebToken.getIssuer();
            if (!jsonWebToken.hasAudience(m93getConfig().getClientId())) {
                throw new IdentityBrokerException("Wrong audience from token.");
            }
            if (!jsonWebToken.isActive()) {
                throw new IdentityBrokerException("Token is no longer valid");
            }
            String issuer2 = m93getConfig().getIssuer();
            if (issuer2 == null) {
                return jsonWebToken;
            }
            for (String str2 : issuer2.split(",")) {
                if (issuer != null && issuer.equals(str2.trim())) {
                    return jsonWebToken;
                }
            }
            throw new IdentityBrokerException("Wrong issuer from token. Got: " + issuer + " expected: " + m93getConfig().getIssuer());
        } catch (JWSInputException e) {
            throw new IdentityBrokerException("Invalid token", e);
        }
    }

    public void authenticationFinished(AuthenticationSessionModel authenticationSessionModel, BrokeredIdentityContext brokeredIdentityContext) {
        AccessTokenResponse accessTokenResponse = (AccessTokenResponse) brokeredIdentityContext.getContextData().get(FEDERATED_ACCESS_TOKEN_RESPONSE);
        authenticationSessionModel.setUserSessionNote(AbstractOAuth2IdentityProvider.FEDERATED_TOKEN_EXPIRATION, Long.toString(accessTokenResponse.getExpiresIn() > 0 ? accessTokenResponse.getExpiresIn() + Time.currentTime() : 0L));
        authenticationSessionModel.setUserSessionNote(AbstractOAuth2IdentityProvider.FEDERATED_REFRESH_TOKEN, accessTokenResponse.getRefreshToken());
        authenticationSessionModel.setUserSessionNote(AbstractOAuth2IdentityProvider.FEDERATED_ACCESS_TOKEN, accessTokenResponse.getToken());
        authenticationSessionModel.setUserSessionNote(FEDERATED_ID_TOKEN, accessTokenResponse.getIdToken());
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected String getDefaultScopes() {
        return SCOPE_OPENID;
    }
}
