package io.quarkus.oidc.runtime;

import io.quarkus.logging.Log;
import io.quarkus.oidc.AuthorizationCodeTokens;
import io.quarkus.oidc.OIDCException;
import io.quarkus.oidc.OidcConfigurationMetadata;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.TokenCustomizer;
import io.quarkus.oidc.TokenIntrospection;
import io.quarkus.oidc.UserInfo;
import io.quarkus.oidc.common.OidcRequestContextProperties;
import io.quarkus.oidc.common.runtime.OidcCommonUtils;
import io.quarkus.oidc.runtime.OidcProviderClient;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.credential.TokenCredential;
import io.smallrye.jwt.algorithm.SignatureAlgorithm;
import io.smallrye.jwt.util.KeyUtils;
import io.smallrye.mutiny.Uni;
import jakarta.json.JsonObject;
import java.io.Closeable;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.PrivateKey;
import java.time.Duration;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.function.BiFunction;
import java.util.function.Function;
import org.eclipse.microprofile.jwt.Claims;
import org.jboss.logging.Logger;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.ErrorCodeValidator;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;
import org.jose4j.jwt.consumer.Validator;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
import org.jose4j.lang.InvalidAlgorithmException;
import org.jose4j.lang.UnresolvableKeyException;

/* loaded from: input_file:io/quarkus/oidc/runtime/OidcProvider.class */
public class OidcProvider implements Closeable {
    private static final String ANY_AUDIENCE = "any";
    private static final String APPLICATION_JWT_CONTENT_TYPE = "application/jwt";
    static final String ANY_ISSUER = "any";
    private final List<Validator> customValidators;
    final OidcProviderClient client;
    final RefreshableVerificationKeyResolver asymmetricKeyResolver;
    final DynamicVerificationKeyResolver keyResolverProvider;
    final OidcTenantConfig oidcConfig;
    final TokenCustomizer tokenCustomizer;
    final String issuer;
    final String[] audience;
    final Map<String, String> requiredClaims;
    final Key tokenDecryptionKey;
    final AlgorithmConstraints requiredAlgorithmConstraints;
    private static final Logger LOG = Logger.getLogger(OidcProvider.class);
    private static final String[] ASYMMETRIC_SUPPORTED_ALGORITHMS = {SignatureAlgorithm.RS256.getAlgorithm(), SignatureAlgorithm.RS384.getAlgorithm(), SignatureAlgorithm.RS512.getAlgorithm(), SignatureAlgorithm.ES256.getAlgorithm(), SignatureAlgorithm.ES384.getAlgorithm(), SignatureAlgorithm.ES512.getAlgorithm(), SignatureAlgorithm.PS256.getAlgorithm(), SignatureAlgorithm.PS384.getAlgorithm(), SignatureAlgorithm.PS512.getAlgorithm(), SignatureAlgorithm.EDDSA.getAlgorithm()};
    private static final AlgorithmConstraints ASYMMETRIC_ALGORITHM_CONSTRAINTS = new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, ASYMMETRIC_SUPPORTED_ALGORITHMS);
    private static final AlgorithmConstraints SYMMETRIC_ALGORITHM_CONSTRAINTS = new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, new String[]{SignatureAlgorithm.HS256.getAlgorithm()});

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/oidc/runtime/OidcProvider$CustomClaimsValidator.class */
    public static class CustomClaimsValidator implements Validator {
        private final Map<String, String> customClaims;

        public CustomClaimsValidator(Map<String, String> map) {
            this.customClaims = map;
        }

        public String validate(JwtContext jwtContext) throws MalformedClaimException {
            JwtClaims jwtClaims = jwtContext.getJwtClaims();
            for (Map.Entry<String, String> entry : this.customClaims.entrySet()) {
                String key = entry.getKey();
                if (!jwtClaims.hasClaim(key)) {
                    return "claim " + key + " is missing";
                }
                if (!jwtClaims.isClaimValueString(key)) {
                    throw new MalformedClaimException("expected claim " + key + " to be a string");
                }
                String stringClaimValue = jwtClaims.getStringClaimValue(key);
                String value = entry.getValue();
                if (!stringClaimValue.equals(value)) {
                    return "claim " + key + "does not match expected value of " + value;
                }
            }
            return null;
        }
    }

    /* loaded from: input_file:io/quarkus/oidc/runtime/OidcProvider$InternalSignatureKeyResolver.class */
    private class InternalSignatureKeyResolver implements VerificationKeyResolver {
        final Key internalSignatureKey;

        public InternalSignatureKeyResolver(Key key) {
            this.internalSignatureKey = initKey(key);
        }

        public Key resolveKey(JsonWebSignature jsonWebSignature, List<JsonWebStructure> list) throws UnresolvableKeyException {
            return this.internalSignatureKey;
        }

        private Key initKey(Key key) {
            String clientOrJwtSecret = OidcCommonUtils.getClientOrJwtSecret(OidcProvider.this.oidcConfig.credentials);
            if (clientOrJwtSecret != null) {
                OidcProvider.LOG.debug("Verifying internal ID token with a configured client secret");
                return KeyUtils.createSecretKeyFromSecret(clientOrJwtSecret);
            }
            if (OidcProvider.this.client.getClientJwtKey() instanceof PrivateKey) {
                OidcProvider.LOG.debug("Verifying internal ID token with a configured JWT private key");
                return OidcUtils.createSecretKeyFromDigest(((PrivateKey) OidcProvider.this.client.getClientJwtKey()).getEncoded());
            }
            OidcProvider.LOG.debug("Verifying internal ID token with a generated secret key");
            return key;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/oidc/runtime/OidcProvider$JsonWebKeyResolver.class */
    public class JsonWebKeyResolver implements RefreshableVerificationKeyResolver {
        volatile JsonWebKeySet jwks;
        volatile long lastForcedRefreshTime;
        volatile long forcedJwksRefreshIntervalMilliSecs;
        final CertChainPublicKeyResolver chainResolverFallback;

        JsonWebKeyResolver(JsonWebKeySet jsonWebKeySet, Duration duration) {
            this.jwks = jsonWebKeySet;
            this.forcedJwksRefreshIntervalMilliSecs = duration.toMillis();
            if (OidcProvider.this.oidcConfig.certificateChain.trustStoreFile.isPresent()) {
                this.chainResolverFallback = new CertChainPublicKeyResolver(OidcProvider.this.oidcConfig);
            } else {
                this.chainResolverFallback = null;
            }
        }

        public Key resolveKey(JsonWebSignature jsonWebSignature, List<JsonWebStructure> list) throws UnresolvableKeyException {
            Key key = null;
            String keyIdHeaderValue = jsonWebSignature.getKeyIdHeaderValue();
            if (keyIdHeaderValue != null) {
                key = getKeyWithId(keyIdHeaderValue);
                if (key == null) {
                    throw new UnresolvableKeyException(String.format("JWK with kid '%s' is not available", keyIdHeaderValue));
                }
            }
            String str = null;
            if (key == null) {
                str = jsonWebSignature.getHeader("x5t#S256");
                if (str != null) {
                    key = getKeyWithS256Thumbprint(str);
                    if (key == null) {
                        throw new UnresolvableKeyException(String.format("JWK with the SHA256 certificate thumbprint '%s' is not available", str));
                    }
                }
            }
            if (key == null) {
                str = jsonWebSignature.getHeader("x5t");
                if (str != null) {
                    key = getKeyWithThumbprint(str);
                    if (key == null) {
                        throw new UnresolvableKeyException(String.format("JWK with the certificate thumbprint '%s' is not available", str));
                    }
                }
            }
            if (key == null && keyIdHeaderValue == null && str == null) {
                try {
                    key = this.jwks.getKeyWithoutKeyIdAndThumbprint(jsonWebSignature.getKeyType());
                } catch (InvalidAlgorithmException e) {
                    Log.debug("Token 'alg'(algorithm) header value is invalid", e);
                }
            }
            if (key == null && OidcProvider.this.oidcConfig.jwks.tryAll && keyIdHeaderValue == null && str == null) {
                OidcProvider.LOG.debug("JWK is not available, neither 'kid' nor 'x5t#S256' nor 'x5t' token headers are set, falling back to trying all available keys");
                key = this.jwks.findKeyInAllKeys(jsonWebSignature);
            }
            if (key == null && this.chainResolverFallback != null) {
                OidcProvider.LOG.debug("JWK is not available, neither 'kid' nor 'x5t#S256' nor 'x5t' token headers are set, falling back to the certificate chain resolver");
                key = this.chainResolverFallback.resolveKey(jsonWebSignature, list);
            }
            if (key == null) {
                throw new UnresolvableKeyException("JWK is not available, neither 'kid' nor 'x5t#S256' nor 'x5t' token headers are set");
            }
            return key;
        }

        private Key getKeyWithId(String str) {
            if (str != null) {
                return this.jwks.getKeyWithId(str);
            }
            OidcProvider.LOG.debug("Token 'kid' header is not set");
            return null;
        }

        private Key getKeyWithThumbprint(String str) {
            if (str != null) {
                return this.jwks.getKeyWithThumbprint(str);
            }
            OidcProvider.LOG.debug("Token 'x5t' header is not set");
            return null;
        }

        private Key getKeyWithS256Thumbprint(String str) {
            if (str != null) {
                return this.jwks.getKeyWithS256Thumbprint(str);
            }
            OidcProvider.LOG.debug("Token 'x5tS256' header is not set");
            return null;
        }

        @Override // io.quarkus.oidc.runtime.RefreshableVerificationKeyResolver
        public Uni<Void> refresh() {
            long now = OidcProvider.now();
            if (now <= this.lastForcedRefreshTime + this.forcedJwksRefreshIntervalMilliSecs) {
                return Uni.createFrom().voidItem();
            }
            this.lastForcedRefreshTime = now;
            return OidcProvider.this.client.getJsonWebKeySet((OidcRequestContextProperties) null).onItem().transformToUni(new Function<JsonWebKeySet, Uni<? extends Void>>() { // from class: io.quarkus.oidc.runtime.OidcProvider.JsonWebKeyResolver.1
                @Override // java.util.function.Function
                public Uni<? extends Void> apply(JsonWebKeySet jsonWebKeySet) {
                    JsonWebKeyResolver.this.jwks = jsonWebKeySet;
                    return Uni.createFrom().voidItem();
                }
            });
        }
    }

    /* loaded from: input_file:io/quarkus/oidc/runtime/OidcProvider$LocalPublicKeyResolver.class */
    private static class LocalPublicKeyResolver implements RefreshableVerificationKeyResolver {
        Key key;

        LocalPublicKeyResolver(String str) {
            try {
                this.key = KeyUtils.decodePublicKey(str);
            } catch (Exception e) {
                throw new OIDCException(e);
            }
        }

        public Key resolveKey(JsonWebSignature jsonWebSignature, List<JsonWebStructure> list) throws UnresolvableKeyException {
            return this.key;
        }
    }

    public OidcProvider(OidcProviderClient oidcProviderClient, OidcTenantConfig oidcTenantConfig, JsonWebKeySet jsonWebKeySet, Key key) {
        this(oidcProviderClient, oidcTenantConfig, jsonWebKeySet, TenantFeatureFinder.find(oidcTenantConfig), key, TenantFeatureFinder.find(oidcTenantConfig, Validator.class));
    }

    public OidcProvider(OidcProviderClient oidcProviderClient, OidcTenantConfig oidcTenantConfig, JsonWebKeySet jsonWebKeySet, TokenCustomizer tokenCustomizer, Key key, List<Validator> list) {
        this.client = oidcProviderClient;
        this.oidcConfig = oidcTenantConfig;
        this.tokenCustomizer = tokenCustomizer;
        if (jsonWebKeySet != null) {
            this.asymmetricKeyResolver = new JsonWebKeyResolver(jsonWebKeySet, oidcTenantConfig.token.forcedJwkRefreshInterval);
        } else if (oidcTenantConfig == null || !oidcTenantConfig.certificateChain.trustStoreFile.isPresent()) {
            this.asymmetricKeyResolver = null;
        } else {
            this.asymmetricKeyResolver = new CertChainPublicKeyResolver(oidcTenantConfig);
        }
        if (oidcProviderClient == null || oidcTenantConfig == null || oidcTenantConfig.jwks.resolveEarly) {
            this.keyResolverProvider = null;
        } else {
            this.keyResolverProvider = new DynamicVerificationKeyResolver(oidcProviderClient, oidcTenantConfig);
        }
        this.issuer = checkIssuerProp();
        this.audience = checkAudienceProp();
        this.requiredClaims = checkRequiredClaimsProp();
        this.tokenDecryptionKey = key;
        this.requiredAlgorithmConstraints = checkSignatureAlgorithm();
        this.customValidators = list == null ? List.of() : list;
    }

    public OidcProvider(String str, OidcTenantConfig oidcTenantConfig, Key key) {
        this.client = null;
        this.oidcConfig = oidcTenantConfig;
        this.tokenCustomizer = TenantFeatureFinder.find(oidcTenantConfig);
        if (str != null) {
            this.asymmetricKeyResolver = new LocalPublicKeyResolver(str);
        } else {
            if (!oidcTenantConfig.certificateChain.trustStoreFile.isPresent()) {
                throw new IllegalStateException("Neither public key nor certificate chain verification modes are enabled");
            }
            this.asymmetricKeyResolver = new CertChainPublicKeyResolver(oidcTenantConfig);
        }
        this.keyResolverProvider = null;
        this.issuer = checkIssuerProp();
        this.audience = checkAudienceProp();
        this.requiredClaims = checkRequiredClaimsProp();
        this.tokenDecryptionKey = key;
        this.requiredAlgorithmConstraints = checkSignatureAlgorithm();
        this.customValidators = TenantFeatureFinder.find(oidcTenantConfig, Validator.class);
    }

    private AlgorithmConstraints checkSignatureAlgorithm() {
        if (this.oidcConfig == null || !this.oidcConfig.token.signatureAlgorithm.isPresent()) {
            return null;
        }
        return new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, new String[]{this.oidcConfig.token.signatureAlgorithm.get().getAlgorithm()});
    }

    private String checkIssuerProp() {
        String str = null;
        if (this.oidcConfig != null) {
            str = this.oidcConfig.token.issuer.orElse(null);
            if (str == null && this.client != null) {
                str = this.client.getMetadata().getIssuer();
            }
        }
        if ("any".equals(str)) {
            return null;
        }
        return str;
    }

    private String[] checkAudienceProp() {
        List<String> orElse = this.oidcConfig != null ? this.oidcConfig.token.audience.orElse(null) : null;
        if (orElse != null) {
            return (String[]) orElse.toArray(new String[0]);
        }
        return null;
    }

    private Map<String, String> checkRequiredClaimsProp() {
        if (this.oidcConfig != null) {
            return this.oidcConfig.token.requiredClaims;
        }
        return null;
    }

    public TokenVerificationResult verifySelfSignedJwtToken(String str, Key key) throws InvalidJwtException {
        return verifyJwtTokenInternal(str, true, false, null, SYMMETRIC_ALGORITHM_CONSTRAINTS, new InternalSignatureKeyResolver(key), true, this.oidcConfig.token.isIssuedAtRequired());
    }

    public TokenVerificationResult verifyJwtToken(String str, boolean z, boolean z2, String str2) throws InvalidJwtException {
        return verifyJwtTokenInternal(customizeJwtToken(str), z, z2, str2, this.requiredAlgorithmConstraints != null ? this.requiredAlgorithmConstraints : ASYMMETRIC_ALGORITHM_CONSTRAINTS, this.asymmetricKeyResolver, true, this.oidcConfig.token.isIssuedAtRequired());
    }

    public TokenVerificationResult verifyLogoutJwtToken(String str) throws InvalidJwtException {
        boolean z = !this.oidcConfig.token.age.isPresent();
        TokenVerificationResult verifyJwtTokenInternal = verifyJwtTokenInternal(str, true, false, null, ASYMMETRIC_ALGORITHM_CONSTRAINTS, this.asymmetricKeyResolver, z, this.oidcConfig.token.isIssuedAtRequired());
        if (z || !isTokenExpired(verifyJwtTokenInternal.localVerificationResult.getLong(Claims.exp.name()))) {
            return verifyJwtTokenInternal;
        }
        String format = String.format("Logout token for client %s has expired", this.oidcConfig.clientId.get());
        LOG.debugf(format, new Object[0]);
        throw new InvalidJwtException(format, List.of(new ErrorCodeValidator.Error(1, format)), (JwtContext) null);
    }

    private TokenVerificationResult verifyJwtTokenInternal(String str, boolean z, boolean z2, String str2, AlgorithmConstraints algorithmConstraints, VerificationKeyResolver verificationKeyResolver, boolean z3, boolean z4) throws InvalidJwtException {
        JwtConsumerBuilder jwtConsumerBuilder = new JwtConsumerBuilder();
        jwtConsumerBuilder.setVerificationKeyResolver(verificationKeyResolver);
        jwtConsumerBuilder.setJwsAlgorithmConstraints(algorithmConstraints);
        if (z3) {
            jwtConsumerBuilder.setRequireExpirationTime();
        }
        if (z2) {
            jwtConsumerBuilder.setRequireSubject();
        }
        if (str2 != null) {
            jwtConsumerBuilder.registerValidator(new CustomClaimsValidator(Map.of("nonce", str2)));
        }
        Iterator<Validator> it = this.customValidators.iterator();
        while (it.hasNext()) {
            jwtConsumerBuilder.registerValidator(it.next());
        }
        if (z4) {
            jwtConsumerBuilder.setRequireIssuedAt();
        }
        if (this.issuer != null) {
            jwtConsumerBuilder.setExpectedIssuer(this.issuer);
        }
        if (this.audience != null) {
            if (this.audience.length == 1 && this.audience[0].equals("any")) {
                jwtConsumerBuilder.setSkipDefaultAudienceValidation();
            } else {
                jwtConsumerBuilder.setExpectedAudience(this.audience);
            }
        } else if (z) {
            jwtConsumerBuilder.setExpectedAudience(new String[]{(String) this.oidcConfig.clientId.get()});
        } else {
            jwtConsumerBuilder.setSkipDefaultAudienceValidation();
        }
        if (this.requiredClaims != null && !this.requiredClaims.isEmpty()) {
            jwtConsumerBuilder.registerValidator(new CustomClaimsValidator(this.requiredClaims));
        }
        if (this.oidcConfig.token.lifespanGrace.isPresent()) {
            jwtConsumerBuilder.setAllowedClockSkewInSeconds(this.oidcConfig.token.lifespanGrace.getAsInt());
        }
        jwtConsumerBuilder.setRelaxVerificationKeyValidation();
        try {
            jwtConsumerBuilder.build().processToClaims(str);
            TokenVerificationResult tokenVerificationResult = new TokenVerificationResult(OidcUtils.decodeJwtContent(str), null);
            verifyTokenAge(tokenVerificationResult.localVerificationResult.getLong(Claims.iat.name()));
            return tokenVerificationResult;
        } catch (InvalidJwtException e) {
            List errorDetails = e.getErrorDetails();
            String errorMessage = errorDetails.isEmpty() ? "" : ((ErrorCodeValidator.Error) errorDetails.get(0)).getErrorMessage();
            if (this.oidcConfig.clientId.isPresent()) {
                LOG.debugf("Verification of the token issued to client %s has failed: %s.", this.oidcConfig.clientId.get(), errorMessage);
                if (this.oidcConfig.clientName.isPresent()) {
                    LOG.debugf(" Client name: %s", this.oidcConfig.clientName.get());
                }
            } else {
                LOG.debugf("Token verification has failed: %s", errorMessage);
            }
            throw e;
        }
    }

    private String customizeJwtToken(String str) {
        if (this.tokenCustomizer != null) {
            JsonObject customizeHeaders = this.tokenCustomizer.customizeHeaders(AbstractJsonObjectResponse.toJsonObject(OidcUtils.decodeJwtHeadersAsString(str)));
            if (customizeHeaders != null) {
                return new String(Base64.getUrlEncoder().withoutPadding().encode(customizeHeaders.toString().getBytes()), StandardCharsets.UTF_8) + str.substring(str.indexOf(46));
            }
        }
        return str;
    }

    private void verifyTokenAge(Long l) throws InvalidJwtException {
        if (!this.oidcConfig.token.age.isPresent() || l == null || (now() / 1000) - l.longValue() <= this.oidcConfig.token.age.get().toSeconds() + getLifespanGrace()) {
            return;
        }
        LOG.debugf("Token age exceeds the configured token age property", new Object[0]);
        throw new InvalidJwtException("Token age exceeds the configured token age property", List.of(new ErrorCodeValidator.Error(24, "Token age exceeds the configured token age property")), (JwtContext) null);
    }

    public Uni<TokenVerificationResult> refreshJwksAndVerifyJwtToken(final String str, final boolean z, final boolean z2, final String str2) {
        return this.asymmetricKeyResolver.refresh().onItem().transformToUni(new Function<Void, Uni<? extends TokenVerificationResult>>() { // from class: io.quarkus.oidc.runtime.OidcProvider.1
            @Override // java.util.function.Function
            public Uni<? extends TokenVerificationResult> apply(Void r8) {
                try {
                    return Uni.createFrom().item(OidcProvider.this.verifyJwtToken(str, z, z2, str2));
                } catch (Throwable th) {
                    return Uni.createFrom().failure(th);
                }
            }
        });
    }

    public Uni<TokenVerificationResult> getKeyResolverAndVerifyJwtToken(final TokenCredential tokenCredential, final boolean z, final boolean z2, final String str, final boolean z3) {
        return this.keyResolverProvider.resolve(tokenCredential).onItem().transformToUni(new Function<VerificationKeyResolver, Uni<? extends TokenVerificationResult>>() { // from class: io.quarkus.oidc.runtime.OidcProvider.2
            @Override // java.util.function.Function
            public Uni<? extends TokenVerificationResult> apply(VerificationKeyResolver verificationKeyResolver) {
                try {
                    return Uni.createFrom().item(OidcProvider.this.verifyJwtTokenInternal(OidcProvider.this.customizeJwtToken(tokenCredential.getToken()), z, z2, str, OidcProvider.this.requiredAlgorithmConstraints != null ? OidcProvider.this.requiredAlgorithmConstraints : OidcProvider.ASYMMETRIC_ALGORITHM_CONSTRAINTS, verificationKeyResolver, true, z3));
                } catch (Throwable th) {
                    return Uni.createFrom().failure(th);
                }
            }
        });
    }

    public Uni<TokenIntrospection> introspectToken(String str, boolean z) {
        if (this.client.getMetadata().getIntrospectionUri() == null) {
            throw new AuthenticationFailedException(String.format("Token issued to client %s " + (z ? "does not have a matching verification key and it " : "") + "can not be introspected because the introspection endpoint address is unknown - please check if your OpenId Connect Provider supports the token introspection", this.oidcConfig.clientId.get()));
        }
        return this.client.introspectToken(str).onItemOrFailure().transform(new BiFunction<TokenIntrospection, Throwable, TokenIntrospection>() { // from class: io.quarkus.oidc.runtime.OidcProvider.3
            @Override // java.util.function.BiFunction
            public TokenIntrospection apply(TokenIntrospection tokenIntrospection, Throwable th) {
                if (th != null) {
                    throw new AuthenticationFailedException(th);
                }
                if (!tokenIntrospection.isActive()) {
                    verifyTokenExpiry(tokenIntrospection.getLong("exp"));
                    throw new AuthenticationFailedException(String.format("Token issued to client %s is not active", OidcProvider.this.oidcConfig.clientId.get()));
                }
                verifyTokenExpiry(tokenIntrospection.getLong("exp"));
                try {
                    OidcProvider.this.verifyTokenAge(tokenIntrospection.getLong("iat"));
                    return tokenIntrospection;
                } catch (InvalidJwtException e) {
                    throw new AuthenticationFailedException(e);
                }
            }

            private void verifyTokenExpiry(Long l) {
                if (OidcProvider.this.isTokenExpired(l)) {
                    String format = String.format("Token issued to client %s has expired", OidcProvider.this.oidcConfig.clientId.get());
                    OidcProvider.LOG.debugf(format, new Object[0]);
                    throw new AuthenticationFailedException(new InvalidJwtException(format, List.of(new ErrorCodeValidator.Error(1, format)), (JwtContext) null));
                }
            }
        });
    }

    private boolean isTokenExpired(Long l) {
        return l != null && now() / 1000 > l.longValue() + ((long) getLifespanGrace());
    }

    private int getLifespanGrace() {
        if (this.client.getOidcConfig().token.lifespanGrace.isPresent()) {
            return this.client.getOidcConfig().token.lifespanGrace.getAsInt();
        }
        return 0;
    }

    private static final long now() {
        return System.currentTimeMillis();
    }

    public Uni<UserInfo> getUserInfo(String str) {
        return this.client.getUserInfo(str).onItem().transformToUni(new Function<OidcProviderClient.UserInfoResponse, Uni<? extends UserInfo>>() { // from class: io.quarkus.oidc.runtime.OidcProvider.4
            @Override // java.util.function.Function
            public Uni<UserInfo> apply(OidcProviderClient.UserInfoResponse userInfoResponse) {
                if (!OidcProvider.APPLICATION_JWT_CONTENT_TYPE.equals(userInfoResponse.contentType())) {
                    return Uni.createFrom().item(new UserInfo(userInfoResponse.data()));
                }
                if (!OidcProvider.this.oidcConfig.jwks.resolveEarly) {
                    return OidcProvider.this.getKeyResolverAndVerifyJwtToken(new TokenCredential(userInfoResponse.data(), OidcUtils.USER_INFO_ATTRIBUTE), true, false, null, true).onItem().transform(tokenVerificationResult -> {
                        return new UserInfo(tokenVerificationResult.localVerificationResult.encode());
                    });
                }
                try {
                    OidcProvider.LOG.debugf("Verifying the signed UserInfo with the local JWK keys: %s", userInfoResponse.data());
                    return Uni.createFrom().item(new UserInfo(OidcProvider.this.verifyJwtToken(userInfoResponse.data(), true, false, null).localVerificationResult.encode()));
                } catch (Throwable th) {
                    if (th.getCause() instanceof UnresolvableKeyException) {
                        OidcProvider.LOG.debug("No matching JWK key is found, refreshing and repeating the signed UserInfo verification");
                        return OidcProvider.this.refreshJwksAndVerifyJwtToken(userInfoResponse.data(), true, false, null).onItem().transform(tokenVerificationResult2 -> {
                            return new UserInfo(tokenVerificationResult2.localVerificationResult.encode());
                        });
                    }
                    OidcProvider.LOG.debugf("Signed UserInfo verification has failed: %s", th.getMessage());
                    return Uni.createFrom().failure(th);
                }
            }
        });
    }

    public Uni<AuthorizationCodeTokens> getCodeFlowTokens(String str, String str2, String str3) {
        return this.client.getAuthorizationCodeTokens(str, str2, str3);
    }

    public Uni<AuthorizationCodeTokens> refreshTokens(String str) {
        return this.client.refreshAuthorizationCodeTokens(str);
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        if (this.client != null) {
            this.client.close();
        }
    }

    public OidcConfigurationMetadata getMetadata() {
        if (this.client == null) {
            return null;
        }
        return this.client.getMetadata();
    }
}
