package org.keycloak.protocol.oidc;

import com.google.common.collect.Streams;
import jakarta.ws.rs.core.UriBuilder;
import jakarta.ws.rs.core.UriInfo;
import java.util.AbstractMap;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.keycloak.authentication.ClientAuthenticator;
import org.keycloak.authentication.ClientAuthenticatorFactory;
import org.keycloak.authentication.authenticators.util.LoAUtil;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.broker.oidc.OIDCIdentityProvider;
import org.keycloak.common.Profile;
import org.keycloak.crypto.CekManagementProvider;
import org.keycloak.crypto.ClientSignatureVerifierProvider;
import org.keycloak.crypto.ContentEncryptionProvider;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.models.CibaConfig;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakUriInfo;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint;
import org.keycloak.protocol.oidc.endpoints.TokenEndpoint;
import org.keycloak.protocol.oidc.grants.ciba.CibaGrantType;
import org.keycloak.protocol.oidc.grants.device.endpoints.DeviceEndpoint;
import org.keycloak.protocol.oidc.par.endpoints.ParEndpoint;
import org.keycloak.protocol.oidc.representations.MTLSEndpointAliases;
import org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation;
import org.keycloak.protocol.oidc.utils.AcrUtils;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.provider.Provider;
import org.keycloak.services.Urls;
import org.keycloak.services.clientpolicy.condition.ClientAccessTypeConditionFactory;
import org.keycloak.services.clientregistration.ClientRegistrationService;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.urls.UrlType;
import org.keycloak.util.JsonSerialization;
import org.keycloak.wellknown.WellKnownProvider;

/* loaded from: input_file:org/keycloak/protocol/oidc/OIDCWellKnownProvider.class */
public class OIDCWellKnownProvider implements WellKnownProvider {
    public final List<String> DEFAULT_GRANT_TYPES_SUPPORTED;
    public static final List<String> DEFAULT_RESPONSE_TYPES_SUPPORTED = list("code", "none", OIDCResponseType.ID_TOKEN, OIDCResponseType.TOKEN, "id_token token", "code id_token", "code token", "code id_token token");
    public static final List<String> DEFAULT_SUBJECT_TYPES_SUPPORTED = list(ClientAccessTypeConditionFactory.TYPE_PUBLIC, "pairwise");
    public static final List<String> DEFAULT_RESPONSE_MODES_SUPPORTED = list("query", "fragment", "form_post", "query.jwt", "fragment.jwt", "form_post.jwt", "jwt");
    public static final List<String> DEFAULT_CLIENT_AUTH_SIGNING_ALG_VALUES_SUPPORTED = list(Algorithm.RS256.toString());
    public static final List<String> DEFAULT_CLAIMS_SUPPORTED = list("aud", "sub", OIDCLoginProtocol.ISSUER, "auth_time", "name", "given_name", "family_name", "preferred_username", "email", OIDCLoginProtocolFactory.ACR_SCOPE);
    public static final List<String> DEFAULT_CLAIM_TYPES_SUPPORTED = list("normal");
    public static final List<String> DEFAULT_CODE_CHALLENGE_METHODS_SUPPORTED = list(OIDCLoginProtocol.PKCE_METHOD_PLAIN, OIDCLoginProtocol.PKCE_METHOD_S256);
    private final KeycloakSession session;
    private final Map<String, Object> openidConfigOverride;
    private final boolean includeClientScopes;

    public OIDCWellKnownProvider(KeycloakSession keycloakSession) {
        this(keycloakSession, null, true);
    }

    public OIDCWellKnownProvider(KeycloakSession keycloakSession, Map<String, Object> map, boolean z) {
        this.DEFAULT_GRANT_TYPES_SUPPORTED = (List) Stream.of((Object[]) new String[]{AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE, "implicit", AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_REFRESH_TOKEN, "password", "client_credentials", "urn:ietf:params:oauth:grant-type:device_code", "urn:openid:params:grant-type:ciba"}).collect(Collectors.toList());
        if (Profile.isFeatureEnabled(Profile.Feature.TOKEN_EXCHANGE)) {
            this.DEFAULT_GRANT_TYPES_SUPPORTED.add("urn:ietf:params:oauth:grant-type:token-exchange");
        }
        this.session = keycloakSession;
        this.openidConfigOverride = map;
        this.includeClientScopes = z;
    }

    @Override // org.keycloak.wellknown.WellKnownProvider
    public Object getConfig() {
        KeycloakUriInfo uri = this.session.getContext().getUri(UrlType.FRONTEND);
        KeycloakUriInfo uri2 = this.session.getContext().getUri(UrlType.BACKEND);
        RealmModel realm = this.session.getContext().getRealm();
        UriBuilder protocolUrl = RealmsResource.protocolUrl((UriInfo) uri);
        UriBuilder protocolUrl2 = RealmsResource.protocolUrl((UriInfo) uri2);
        OIDCConfigurationRepresentation oIDCConfigurationRepresentation = new OIDCConfigurationRepresentation();
        oIDCConfigurationRepresentation.setIssuer(Urls.realmIssuer(uri.getBaseUri(), realm.getName()));
        oIDCConfigurationRepresentation.setAuthorizationEndpoint(protocolUrl.clone().path(OIDCLoginProtocolService.class, "auth").build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setTokenEndpoint(protocolUrl2.clone().path(OIDCLoginProtocolService.class, OIDCResponseType.TOKEN).build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setIntrospectionEndpoint(protocolUrl2.clone().path(OIDCLoginProtocolService.class, OIDCResponseType.TOKEN).path(TokenEndpoint.class, "introspect").build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setUserinfoEndpoint(protocolUrl2.clone().path(OIDCLoginProtocolService.class, "issueUserInfo").build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setLogoutEndpoint(protocolUrl.clone().path(OIDCLoginProtocolService.class, "logout").build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setDeviceAuthorizationEndpoint(protocolUrl.clone().path(OIDCLoginProtocolService.class, "auth").path(AuthorizationEndpoint.class, "authorizeDevice").path(DeviceEndpoint.class, "handleDeviceRequest").build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setJwksUri(protocolUrl2.clone().path(OIDCLoginProtocolService.class, "certs").build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setCheckSessionIframe(protocolUrl.clone().path(OIDCLoginProtocolService.class, "getLoginStatusIframe").build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setRegistrationEndpoint(RealmsResource.clientRegistrationUrl(uri2).path(ClientRegistrationService.class, "provider").build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setIdTokenSigningAlgValuesSupported(getSupportedSigningAlgorithms(false));
        oIDCConfigurationRepresentation.setIdTokenEncryptionAlgValuesSupported(getSupportedEncryptionAlg(false));
        oIDCConfigurationRepresentation.setIdTokenEncryptionEncValuesSupported(getSupportedEncryptionEnc(false));
        oIDCConfigurationRepresentation.setUserInfoSigningAlgValuesSupported(getSupportedSigningAlgorithms(true));
        oIDCConfigurationRepresentation.setUserInfoEncryptionAlgValuesSupported(getSupportedEncryptionAlgorithms());
        oIDCConfigurationRepresentation.setUserInfoEncryptionEncValuesSupported(getSupportedContentEncryptionAlgorithms());
        oIDCConfigurationRepresentation.setRequestObjectSigningAlgValuesSupported(getSupportedClientSigningAlgorithms(true));
        oIDCConfigurationRepresentation.setRequestObjectEncryptionAlgValuesSupported(getSupportedEncryptionAlgorithms());
        oIDCConfigurationRepresentation.setRequestObjectEncryptionEncValuesSupported(getSupportedContentEncryptionAlgorithms());
        oIDCConfigurationRepresentation.setResponseTypesSupported(DEFAULT_RESPONSE_TYPES_SUPPORTED);
        oIDCConfigurationRepresentation.setSubjectTypesSupported(DEFAULT_SUBJECT_TYPES_SUPPORTED);
        oIDCConfigurationRepresentation.setResponseModesSupported(DEFAULT_RESPONSE_MODES_SUPPORTED);
        oIDCConfigurationRepresentation.setGrantTypesSupported(this.DEFAULT_GRANT_TYPES_SUPPORTED);
        oIDCConfigurationRepresentation.setAcrValuesSupported(getAcrValuesSupported(realm));
        oIDCConfigurationRepresentation.setTokenEndpointAuthMethodsSupported(getClientAuthMethodsSupported());
        oIDCConfigurationRepresentation.setTokenEndpointAuthSigningAlgValuesSupported(getSupportedClientSigningAlgorithms(false));
        oIDCConfigurationRepresentation.setIntrospectionEndpointAuthMethodsSupported(getClientAuthMethodsSupported());
        oIDCConfigurationRepresentation.setIntrospectionEndpointAuthSigningAlgValuesSupported(getSupportedClientSigningAlgorithms(false));
        oIDCConfigurationRepresentation.setAuthorizationSigningAlgValuesSupported(getSupportedSigningAlgorithms(false));
        oIDCConfigurationRepresentation.setAuthorizationEncryptionAlgValuesSupported(getSupportedEncryptionAlg(false));
        oIDCConfigurationRepresentation.setAuthorizationEncryptionEncValuesSupported(getSupportedEncryptionEnc(false));
        oIDCConfigurationRepresentation.setClaimsSupported(DEFAULT_CLAIMS_SUPPORTED);
        oIDCConfigurationRepresentation.setClaimTypesSupported(DEFAULT_CLAIM_TYPES_SUPPORTED);
        oIDCConfigurationRepresentation.setClaimsParameterSupported(true);
        if (this.includeClientScopes) {
            List list = (List) realm.getClientScopesStream().filter(clientScopeModel -> {
                return Objects.equals("openid-connect", clientScopeModel.getProtocol());
            }).map((v0) -> {
                return v0.getName();
            }).collect(Collectors.toList());
            list.add(0, OIDCIdentityProvider.SCOPE_OPENID);
            oIDCConfigurationRepresentation.setScopesSupported(list);
        }
        oIDCConfigurationRepresentation.setRequestParameterSupported(true);
        oIDCConfigurationRepresentation.setRequestUriParameterSupported(true);
        oIDCConfigurationRepresentation.setRequireRequestUriRegistration(true);
        oIDCConfigurationRepresentation.setCodeChallengeMethodsSupported(DEFAULT_CODE_CHALLENGE_METHODS_SUPPORTED);
        oIDCConfigurationRepresentation.setTlsClientCertificateBoundAccessTokens(true);
        oIDCConfigurationRepresentation.setRevocationEndpoint(protocolUrl.clone().path(OIDCLoginProtocolService.class, "revoke").build(new Object[]{realm.getName(), "openid-connect"}).toString());
        oIDCConfigurationRepresentation.setRevocationEndpointAuthMethodsSupported(getClientAuthMethodsSupported());
        oIDCConfigurationRepresentation.setRevocationEndpointAuthSigningAlgValuesSupported(getSupportedClientSigningAlgorithms(false));
        oIDCConfigurationRepresentation.setBackchannelLogoutSupported(true);
        oIDCConfigurationRepresentation.setBackchannelLogoutSessionSupported(true);
        oIDCConfigurationRepresentation.setBackchannelTokenDeliveryModesSupported(CibaConfig.CIBA_SUPPORTED_MODES);
        oIDCConfigurationRepresentation.setBackchannelAuthenticationEndpoint(CibaGrantType.authorizationUrl(uri2.getBaseUriBuilder()).build(new Object[]{realm.getName()}).toString());
        oIDCConfigurationRepresentation.setBackchannelAuthenticationRequestSigningAlgValuesSupported(getSupportedBackchannelAuthenticationRequestSigningAlgorithms());
        oIDCConfigurationRepresentation.setPushedAuthorizationRequestEndpoint(ParEndpoint.parUrl(uri2.getBaseUriBuilder()).build(new Object[]{realm.getName()}).toString());
        oIDCConfigurationRepresentation.setRequirePushedAuthorizationRequests(Boolean.FALSE);
        oIDCConfigurationRepresentation.setMtlsEndpointAliases(getMtlsEndpointAliases(oIDCConfigurationRepresentation));
        return checkConfigOverride(oIDCConfigurationRepresentation);
    }

    public void close() {
    }

    private static List<String> list(String... strArr) {
        return Arrays.asList(strArr);
    }

    private List<String> getClientAuthMethodsSupported() {
        Stream providerFactoriesStream = this.session.getKeycloakSessionFactory().getProviderFactoriesStream(ClientAuthenticator.class);
        Class<ClientAuthenticatorFactory> cls = ClientAuthenticatorFactory.class;
        Objects.requireNonNull(ClientAuthenticatorFactory.class);
        return (List) providerFactoriesStream.map((v1) -> {
            return r1.cast(v1);
        }).map(clientAuthenticatorFactory -> {
            return clientAuthenticatorFactory.getProtocolAuthenticatorMethods("openid-connect");
        }).flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toList());
    }

    private List<String> getSupportedAlgorithms(Class<? extends Provider> cls, boolean z) {
        Stream map = this.session.getKeycloakSessionFactory().getProviderFactoriesStream(cls).map((v0) -> {
            return v0.getId();
        });
        if (z) {
            map = Streams.concat(new Stream[]{map, Stream.of("none")});
        }
        return (List) map.collect(Collectors.toList());
    }

    private List<String> getSupportedAsymmetricAlgorithms() {
        return (List) getSupportedAlgorithms(SignatureProvider.class, false).stream().map(str -> {
            return new AbstractMap.SimpleEntry(str, this.session.getProvider(SignatureProvider.class, str));
        }).filter(simpleEntry -> {
            return simpleEntry.getValue() != null;
        }).filter(simpleEntry2 -> {
            return ((SignatureProvider) simpleEntry2.getValue()).isAsymmetricAlgorithm();
        }).map((v0) -> {
            return v0.getKey();
        }).collect(Collectors.toList());
    }

    private List<String> getSupportedSigningAlgorithms(boolean z) {
        return getSupportedAlgorithms(SignatureProvider.class, z);
    }

    private List<String> getSupportedClientSigningAlgorithms(boolean z) {
        return getSupportedAlgorithms(ClientSignatureVerifierProvider.class, z);
    }

    private List<String> getSupportedContentEncryptionAlgorithms() {
        return getSupportedAlgorithms(ContentEncryptionProvider.class, false);
    }

    private List<String> getAcrValuesSupported(RealmModel realmModel) {
        ArrayList arrayList = new ArrayList(AcrUtils.getAcrLoaMap(realmModel).keySet());
        arrayList.addAll((Collection) LoAUtil.getLoAConfiguredInRealmBrowserFlow(realmModel).map((v0) -> {
            return String.valueOf(v0);
        }).collect(Collectors.toList()));
        return arrayList;
    }

    private List<String> getSupportedEncryptionAlgorithms() {
        return getSupportedAlgorithms(CekManagementProvider.class, false);
    }

    private List<String> getSupportedBackchannelAuthenticationRequestSigningAlgorithms() {
        return getSupportedAsymmetricAlgorithms();
    }

    private List<String> getSupportedEncryptionAlg(boolean z) {
        return getSupportedAlgorithms(CekManagementProvider.class, z);
    }

    private List<String> getSupportedEncryptionEnc(boolean z) {
        return getSupportedAlgorithms(ContentEncryptionProvider.class, z);
    }

    protected MTLSEndpointAliases getMtlsEndpointAliases(OIDCConfigurationRepresentation oIDCConfigurationRepresentation) {
        MTLSEndpointAliases mTLSEndpointAliases = new MTLSEndpointAliases();
        mTLSEndpointAliases.setTokenEndpoint(oIDCConfigurationRepresentation.getTokenEndpoint());
        mTLSEndpointAliases.setRevocationEndpoint(oIDCConfigurationRepresentation.getRevocationEndpoint());
        mTLSEndpointAliases.setIntrospectionEndpoint(oIDCConfigurationRepresentation.getIntrospectionEndpoint());
        mTLSEndpointAliases.setDeviceAuthorizationEndpoint(oIDCConfigurationRepresentation.getDeviceAuthorizationEndpoint());
        mTLSEndpointAliases.setRegistrationEndpoint(oIDCConfigurationRepresentation.getRegistrationEndpoint());
        mTLSEndpointAliases.setUserInfoEndpoint(oIDCConfigurationRepresentation.getUserinfoEndpoint());
        mTLSEndpointAliases.setBackchannelAuthenticationEndpoint(oIDCConfigurationRepresentation.getBackchannelAuthenticationEndpoint());
        mTLSEndpointAliases.setPushedAuthorizationRequestEndpoint(oIDCConfigurationRepresentation.getPushedAuthorizationRequestEndpoint());
        return mTLSEndpointAliases;
    }

    private OIDCConfigurationRepresentation checkConfigOverride(OIDCConfigurationRepresentation oIDCConfigurationRepresentation) {
        if (this.openidConfigOverride == null) {
            return oIDCConfigurationRepresentation;
        }
        Map map = (Map) JsonSerialization.mapper.convertValue(oIDCConfigurationRepresentation, Map.class);
        map.putAll(this.openidConfigOverride);
        return (OIDCConfigurationRepresentation) JsonSerialization.mapper.convertValue(map, OIDCConfigurationRepresentation.class);
    }
}
