package org.keycloak.protocol.oidc.endpoints;

import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.OPTIONS;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.keycloak.Config;
import org.keycloak.OAuthErrorException;
import org.keycloak.TokenVerifier;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.VerificationException;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.headers.SecurityHeadersProvider;
import org.keycloak.http.HttpRequest;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.SystemClientUtil;
import org.keycloak.protocol.oidc.BackchannelLogoutResponse;
import org.keycloak.protocol.oidc.LogoutTokenValidationCode;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocolFactory;
import org.keycloak.protocol.oidc.OIDCProviderConfig;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
import org.keycloak.protocol.oidc.utils.LogoutUtil;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.LogoutToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.LogoutRequestContext;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.Cors;
import org.keycloak.services.resources.LoginActionsService;
import org.keycloak.services.resources.LogoutSessionCodeChecks;
import org.keycloak.services.util.LocaleUtil;
import org.keycloak.services.util.MtlsHoKTokenUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import org.keycloak.utils.LockObjectsForModification;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.class */
public class LogoutEndpoint {
    private static final Logger logger = Logger.getLogger(LogoutEndpoint.class);
    private final KeycloakSession session;
    private final ClientConnection clientConnection;
    private final HttpRequest request;
    private final HttpHeaders headers;
    private final TokenManager tokenManager;
    private final RealmModel realm;
    private final EventBuilder event;
    private final OIDCProviderConfig providerConfig;
    private final boolean offlineSessionsLazyLoadingEnabled;
    private Cors cors;

    public LogoutEndpoint(KeycloakSession keycloakSession, TokenManager tokenManager, EventBuilder eventBuilder, OIDCProviderConfig oIDCProviderConfig) {
        this.session = keycloakSession;
        this.clientConnection = keycloakSession.getContext().getConnection();
        this.tokenManager = tokenManager;
        this.realm = keycloakSession.getContext().getRealm();
        this.event = eventBuilder;
        this.providerConfig = oIDCProviderConfig;
        this.offlineSessionsLazyLoadingEnabled = !Config.scope(new String[]{"userSessions"}).scope(new String[]{"infinispan"}).getBoolean("preloadOfflineSessionsFromDatabase", false).booleanValue();
        this.request = keycloakSession.getContext().getHttpRequest();
        this.headers = keycloakSession.getContext().getRequestHeaders();
    }

    @Path("/")
    @OPTIONS
    public Response issueUserInfoPreflight() {
        return Cors.add(this.request, Response.ok()).auth().preflight().build();
    }

    @NoCache
    @GET
    public Response logout(@QueryParam("redirect_uri") String str, @QueryParam("id_token_hint") String str2, @QueryParam("client_id") String str3, @QueryParam("post_logout_redirect_uri") String str4, @QueryParam("state") String str5, @QueryParam("ui_locales") String str6, @QueryParam("initiating_idp") String str7) {
        if (!this.providerConfig.isLegacyLogoutRedirectUri()) {
            if (str != null) {
                this.event.event(EventType.LOGOUT);
                this.event.error("invalid_request");
                logger.warnf("Parameter 'redirect_uri' no longer supported. Please use 'post_logout_redirect_uri' with 'id_token_hint' for this endpoint. Alternatively you can enable backwards compatibility option '%s' of oidc login protocol in the server configuration.", OIDCLoginProtocolFactory.CONFIG_LEGACY_LOGOUT_REDIRECT_URI);
                return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_PARAMETER, "redirect_uri");
            }
            if (str4 != null && str2 == null && str3 == null) {
                this.event.event(EventType.LOGOUT);
                this.event.error("invalid_request");
                logger.warnf("Either the parameter 'client_id' or the parameter 'id_token_hint' is required when 'post_logout_redirect_uri' is used.", new Object[0]);
                return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.MISSING_PARAMETER, OIDCLoginProtocol.ID_TOKEN_HINT);
            }
        }
        String str8 = str4 != null ? str4 : this.providerConfig.isLegacyLogoutRedirectUri() ? str : null;
        boolean z = true;
        boolean z2 = false;
        ClientModel clientByClientId = str3 == null ? null : this.realm.getClientByClientId(str3);
        if (str3 != null && clientByClientId == null) {
            logger.warnf("Client '%s' not found.", str3);
            z2 = true;
        }
        IDToken iDToken = null;
        if (str2 != null) {
            try {
                iDToken = this.tokenManager.verifyIDTokenSignature(this.session, str2);
                TokenVerifier.createWithoutSignature(iDToken).tokenType("ID").verify();
            } catch (OAuthErrorException | VerificationException e) {
                this.event.event(EventType.LOGOUT);
                this.event.error("invalid_token");
                return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_PARAMETER, OIDCLoginProtocol.ID_TOKEN_HINT);
            }
        }
        if (str3 == null) {
            clientByClientId = (iDToken == null || iDToken.getIssuedFor() == null) ? null : this.realm.getClientByClientId(iDToken.getIssuedFor());
            if (clientByClientId != null) {
                z = false;
            }
        } else if (iDToken != null && iDToken.getIssuedFor() != null) {
            if (!iDToken.getIssuedFor().equals(str3)) {
                this.event.event(EventType.LOGOUT);
                this.event.client(str3);
                this.event.error("invalid_token");
                logger.warnf("Parameter client_id is different than the client for which ID Token was issued. Parameter client_id: '%s', ID Token issued for: '%s'.", str3, iDToken.getIssuedFor());
                return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_PARAMETER, OIDCLoginProtocol.ID_TOKEN_HINT);
            }
            z = false;
        }
        if (clientByClientId != null) {
            this.session.getContext().setClient(clientByClientId);
        }
        String str9 = null;
        if (str8 != null) {
            if (clientByClientId != null) {
                OIDCAdvancedConfigWrapper fromClientModel = OIDCAdvancedConfigWrapper.fromClientModel(clientByClientId);
                str9 = RedirectUtils.verifyRedirectUri(this.session, clientByClientId.getRootUrl(), str8, fromClientModel.getPostLogoutRedirectUris() != null ? new HashSet(fromClientModel.getPostLogoutRedirectUris()) : new HashSet(), true);
            } else if (str3 == null && this.providerConfig.isLegacyLogoutRedirectUri()) {
                str9 = RedirectUtils.verifyRealmRedirectUri(this.session, str8);
            }
            if (str9 == null) {
                this.event.event(EventType.LOGOUT);
                this.event.detail("redirect_uri", str8);
                this.event.error(ErrorCodes.INVALID_REDIRECT_URI);
                return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REDIRECT_URI, new Object[0]);
            }
        }
        AuthenticationSessionModel createOrJoinLogoutSession = AuthenticationManager.createOrJoinLogoutSession(this.session, this.realm, new AuthenticationSessionManager(this.session), null, true);
        this.session.getContext().setAuthenticationSession(createOrJoinLogoutSession);
        if (str6 != null) {
            createOrJoinLogoutSession.setAuthNote("locale_client_requested", str6);
        }
        if (str9 != null) {
            createOrJoinLogoutSession.setAuthNote(OIDCLoginProtocol.LOGOUT_REDIRECT_URI, str9);
        }
        if (str5 != null) {
            createOrJoinLogoutSession.setAuthNote(OIDCLoginProtocol.LOGOUT_STATE_PARAM, str5);
        }
        if (str7 != null) {
            createOrJoinLogoutSession.setAuthNote(AuthenticationManager.LOGOUT_INITIATING_IDP, str7);
        }
        if (iDToken != null) {
            createOrJoinLogoutSession.setAuthNote(OIDCLoginProtocol.LOGOUT_VALIDATED_ID_TOKEN_SESSION_STATE, iDToken.getSessionState());
            createOrJoinLogoutSession.setAuthNote(OIDCLoginProtocol.LOGOUT_VALIDATED_ID_TOKEN_ISSUED_AT, String.valueOf(iDToken.getIat()));
        }
        LoginFormsProvider authenticationSession = this.session.getProvider(LoginFormsProvider.class).setAuthenticationSession(createOrJoinLogoutSession);
        UserSessionModel userSessionModel = null;
        AuthenticationManager.AuthResult authenticateIdentityCookie = AuthenticationManager.authenticateIdentityCookie(this.session, this.realm, false);
        if (authenticateIdentityCookie != null) {
            userSessionModel = authenticateIdentityCookie.getSession();
            if (iDToken != null && iDToken.getSessionState() != null && !iDToken.getSessionState().equals(authenticateIdentityCookie.getSession().getId())) {
                z2 = true;
            }
        } else if (str2 == null && clientByClientId != null && str9 != null) {
            z = false;
        }
        if (userSessionModel == null && iDToken != null && iDToken.getSessionState() != null) {
            userSessionModel = this.session.sessions().getUserSession(this.realm, iDToken.getSessionState());
        }
        if (userSessionModel != null) {
            UserModel user = userSessionModel.getUser();
            createOrJoinLogoutSession.setAuthenticatedUser(user);
            authenticationSession.setUser(user);
        }
        return ((z || z2) && !this.providerConfig.suppressLogoutConfirmationScreen()) ? displayLogoutConfirmationScreen(authenticationSession, createOrJoinLogoutSession) : doBrowserLogout(createOrJoinLogoutSession);
    }

    private Response displayLogoutConfirmationScreen(LoginFormsProvider loginFormsProvider, AuthenticationSessionModel authenticationSessionModel) {
        ClientSessionCode clientSessionCode = new ClientSessionCode(this.session, this.realm, authenticationSessionModel);
        clientSessionCode.setAction(CommonClientSessionModel.Action.LOGGING_OUT.name());
        return loginFormsProvider.setClientSessionCode(clientSessionCode.getOrGenerateCode()).createLogoutConfirmPage();
    }

    @POST
    @NoCache
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    public Response logout() {
        MultivaluedMap decodedFormParameters = this.request.getDecodedFormParameters();
        return decodedFormParameters.containsKey(AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_REFRESH_TOKEN) ? logoutToken() : logout((String) decodedFormParameters.getFirst("redirect_uri"), (String) decodedFormParameters.getFirst(OIDCLoginProtocol.ID_TOKEN_HINT), (String) decodedFormParameters.getFirst("client_id"), (String) decodedFormParameters.getFirst(OIDCLoginProtocol.POST_LOGOUT_REDIRECT_URI_PARAM), (String) decodedFormParameters.getFirst("state"), (String) decodedFormParameters.getFirst(OIDCLoginProtocol.UI_LOCALES_PARAM), (String) decodedFormParameters.getFirst(AuthenticationManager.INITIATING_IDP_PARAM));
    }

    @NoCache
    @POST
    @Path("/logout-confirm")
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    public Response logoutConfirmAction() {
        MultivaluedMap decodedFormParameters = this.request.getDecodedFormParameters();
        this.event.event(EventType.LOGOUT);
        String str = (String) decodedFormParameters.getFirst(LoginActionsService.SESSION_CODE);
        String str2 = (String) this.session.getContext().getUri().getQueryParameters().getFirst("client_id");
        String str3 = (String) this.session.getContext().getUri().getQueryParameters().getFirst("tab_id");
        logger.tracef("Logout confirmed. sessionCode=%s, clientId=%s, tabId=%s", str, str2, str3);
        LogoutSessionCodeChecks logoutSessionCodeChecks = new LogoutSessionCodeChecks(this.realm, this.session.getContext().getUri(), this.request, this.clientConnection, this.session, this.event, str, str2, str3);
        logoutSessionCodeChecks.initialVerify();
        if (logoutSessionCodeChecks.verifyActiveAndValidAction(CommonClientSessionModel.Action.LOGGING_OUT.name(), ClientSessionCode.ActionType.USER) && logoutSessionCodeChecks.isActionRequest() && decodedFormParameters.containsKey("confirmLogout")) {
            AuthenticationSessionModel authenticationSession = logoutSessionCodeChecks.getAuthenticationSession();
            logger.tracef("Logout code successfully verified. Logout Session is '%s'. Client ID is '%s'.", authenticationSession.getParentSession().getId(), authenticationSession.getClient().getClientId());
            return doBrowserLogout(authenticationSession);
        }
        AuthenticationSessionModel authenticationSession2 = logoutSessionCodeChecks.getAuthenticationSession();
        logger.debugf("Failed verification during logout. logoutSessionId=%s, clientId=%s, tabId=%s", authenticationSession2 != null ? authenticationSession2.getParentSession().getId() : "unknown", str2, str3);
        if (authenticationSession2 == null || authenticationSession2.getClient().equals(SystemClientUtil.getSystemClient(authenticationSession2.getRealm()))) {
            this.session.getProvider(LoginFormsProvider.class).setAttribute("skipLink", true);
        }
        this.event.error("session_expired");
        return ErrorPage.error(this.session, authenticationSession2, Response.Status.BAD_REQUEST, Messages.FAILED_LOGOUT, new Object[0]);
    }

    @NoCache
    @Path("/logout-confirm")
    @GET
    public Response logoutConfirmGet() {
        this.event.event(EventType.LOGOUT);
        String str = (String) this.session.getContext().getUri().getQueryParameters().getFirst("client_id");
        String str2 = (String) this.session.getContext().getUri().getQueryParameters().getFirst("tab_id");
        logger.tracef("Changing localization by user during logout. clientId=%s, tabId=%s, kc_locale: %s", str, str2, this.session.getContext().getUri().getQueryParameters().getFirst("kc_locale"));
        AuthenticationSessionModel initialVerifyAuthSession = new LogoutSessionCodeChecks(this.realm, this.session.getContext().getUri(), this.request, this.clientConnection, this.session, this.event, null, str, str2).initialVerifyAuthSession();
        if (initialVerifyAuthSession != null) {
            LocaleUtil.processLocaleParam(this.session, this.realm, initialVerifyAuthSession);
            return displayLogoutConfirmationScreen(this.session.getProvider(LoginFormsProvider.class).setAuthenticationSession(initialVerifyAuthSession).setUser(initialVerifyAuthSession.getAuthenticatedUser()), initialVerifyAuthSession);
        }
        logger.debugf("Failed verification when changing locale logout. clientId=%s, tabId=%s", str, str2);
        LoginFormsProvider provider = this.session.getProvider(LoginFormsProvider.class);
        if (str == null || str.equals(SystemClientUtil.getSystemClient(this.realm).getClientId())) {
            provider.setAttribute("skipLink", true);
        }
        if (AuthenticationManager.authenticateIdentityCookie(this.session, this.realm, false) == null) {
            return provider.setSuccess(Messages.SUCCESS_LOGOUT, new Object[0]).createInfoPage();
        }
        this.event.error("logout_failed");
        return ErrorPage.error(this.session, initialVerifyAuthSession, Response.Status.BAD_REQUEST, Messages.FAILED_LOGOUT, new Object[0]);
    }

    private Response doBrowserLogout(AuthenticationSessionModel authenticationSessionModel) {
        UserSessionModel userSessionModel = null;
        String authNote = authenticationSessionModel.getAuthNote(OIDCLoginProtocol.LOGOUT_VALIDATED_ID_TOKEN_SESSION_STATE);
        String authNote2 = authenticationSessionModel.getAuthNote(OIDCLoginProtocol.LOGOUT_VALIDATED_ID_TOKEN_ISSUED_AT);
        if (authNote != null && authNote2 != null) {
            try {
                userSessionModel = (UserSessionModel) LockObjectsForModification.lockUserSessionsForModification(this.session, () -> {
                    return this.session.sessions().getUserSession(this.realm, authNote);
                });
                if (userSessionModel == null) {
                    this.event.event(EventType.LOGOUT);
                    this.event.error("session_expired");
                } else {
                    checkTokenIssuedAt(Integer.valueOf(Integer.parseInt(authNote2)).intValue(), userSessionModel);
                }
            } catch (OAuthErrorException e) {
                this.event.event(EventType.LOGOUT);
                this.event.error("invalid_token");
                return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.SESSION_NOT_ACTIVE, new Object[0]);
            }
        }
        AuthenticationManager.AuthResult authResult = (AuthenticationManager.AuthResult) LockObjectsForModification.lockUserSessionsForModification(this.session, () -> {
            return AuthenticationManager.authenticateIdentityCookie(this.session, this.realm, false);
        });
        if (authResult != null) {
            return initiateBrowserLogout(userSessionModel != null ? userSessionModel : authResult.getSession());
        }
        if (userSessionModel != null) {
            if (authNote.equals(AuthenticationManager.getSessionIdFromSessionCookie(this.session))) {
                return initiateBrowserLogout(userSessionModel);
            }
            if (userSessionModel.getState() != UserSessionModel.State.LOGGING_OUT && userSessionModel.getState() != UserSessionModel.State.LOGGED_OUT) {
                this.event.event(EventType.LOGOUT);
                AuthenticationManager.backchannelLogout(this.session, this.realm, userSessionModel, this.session.getContext().getUri(), this.clientConnection, this.headers, true);
                String authNote3 = authenticationSessionModel.getAuthNote(OIDCLoginProtocol.LOGOUT_REDIRECT_URI);
                if (authNote3 != null) {
                    this.event.detail("redirect_uri", authNote3);
                }
                this.event.user(userSessionModel.getUser()).session(userSessionModel).success();
            }
        }
        logger.tracef("Removing logout session '%s' used during logout.", authenticationSessionModel.getParentSession().getId());
        authenticationSessionModel.getParentSession().removeAuthenticationSessionByTabId(authenticationSessionModel.getTabId());
        return LogoutUtil.sendResponseAfterLogoutFinished(this.session, authenticationSessionModel);
    }

    private Response logoutToken() {
        UserSessionModel userSessionModel;
        this.cors = Cors.add(this.request).auth().allowedMethods("POST").auth().exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS);
        MultivaluedMap decodedFormParameters = this.request.getDecodedFormParameters();
        checkSsl();
        this.event.event(EventType.LOGOUT);
        ClientModel authorizeClient = authorizeClient();
        String str = (String) decodedFormParameters.getFirst(AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_REFRESH_TOKEN);
        if (str == null) {
            this.event.error("invalid_token");
            throw new CorsErrorResponseException(this.cors, "invalid_request", "No refresh token", Response.Status.BAD_REQUEST);
        }
        try {
            this.session.clientPolicy().triggerOnEvent(new LogoutRequestContext(decodedFormParameters));
            try {
                RefreshToken verifyRefreshToken = this.tokenManager.verifyRefreshToken(this.session, this.realm, authorizeClient, this.request, str, false);
                boolean equals = "Offline".equals(verifyRefreshToken.getType());
                if (equals) {
                    userSessionModel = new UserSessionManager(this.session).findOfflineUserSession(this.realm, verifyRefreshToken.getSessionState());
                } else {
                    String sessionState = verifyRefreshToken.getSessionState();
                    userSessionModel = (UserSessionModel) LockObjectsForModification.lockUserSessionsForModification(this.session, () -> {
                        return this.session.sessions().getUserSession(this.realm, sessionState);
                    });
                }
                if (userSessionModel != null) {
                    checkTokenIssuedAt(verifyRefreshToken.getIssuedAt(), userSessionModel);
                    logout(userSessionModel, equals);
                }
                return this.cors.builder(Response.noContent()).build();
            } catch (OAuthErrorException e) {
                if (MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC.equals(e.getDescription())) {
                    this.event.error("not_allowed");
                    throw new CorsErrorResponseException(this.cors, e.getError(), e.getDescription(), Response.Status.UNAUTHORIZED);
                }
                this.event.error("invalid_token");
                throw new CorsErrorResponseException(this.cors, e.getError(), e.getDescription(), Response.Status.BAD_REQUEST);
            }
        } catch (ClientPolicyException e2) {
            throw new CorsErrorResponseException(this.cors, e2.getError(), e2.getErrorDetail(), e2.getErrorStatus());
        }
    }

    @POST
    @Path("/backchannel-logout")
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    public Response backchannelLogout() {
        MultivaluedMap decodedFormParameters = this.request.getDecodedFormParameters();
        this.event.event(EventType.LOGOUT);
        String str = (String) decodedFormParameters.getFirst("logout_token");
        if (str == null) {
            this.event.error("invalid_token");
            throw new ErrorResponseException("invalid_request", "No logout token", Response.Status.BAD_REQUEST);
        }
        LogoutTokenValidationCode verifyLogoutToken = this.tokenManager.verifyLogoutToken(this.session, this.realm, str);
        if (!verifyLogoutToken.equals(LogoutTokenValidationCode.VALIDATION_SUCCESS)) {
            this.event.error("invalid_token");
            throw new ErrorResponseException("invalid_request", verifyLogoutToken.getErrorMessage(), Response.Status.BAD_REQUEST);
        }
        LogoutToken logoutToken = this.tokenManager.toLogoutToken(str).get();
        Stream<String> map = this.tokenManager.getValidOIDCIdentityProvidersForBackchannelLogout(this.realm, this.session, str, logoutToken).map(oIDCIdentityProvider -> {
            return oIDCIdentityProvider.m146getConfig().getAlias();
        });
        boolean parseBoolean = Boolean.parseBoolean(logoutToken.getEvents().getOrDefault("revoke_offline_access", false).toString());
        BackchannelLogoutResponse backchannelLogoutWithSessionId = logoutToken.getSid() != null ? backchannelLogoutWithSessionId(logoutToken.getSid(), map, parseBoolean, logoutToken.getSubject()) : backchannelLogoutFederatedUserId(logoutToken.getSubject(), map, parseBoolean);
        if (backchannelLogoutWithSessionId.getLocalLogoutSucceeded()) {
            this.session.getProvider(SecurityHeadersProvider.class).options().allowEmptyContentType();
            return oneOrMoreDownstreamLogoutsFailed(backchannelLogoutWithSessionId) ? Cors.add(this.request).auth().builder(Response.status(Response.Status.GATEWAY_TIMEOUT).type(jakarta.ws.rs.core.MediaType.APPLICATION_JSON_TYPE)).build() : Cors.add(this.request).auth().builder(Response.ok().type(jakarta.ws.rs.core.MediaType.APPLICATION_JSON_TYPE)).build();
        }
        this.event.error("logout_failed");
        throw new ErrorResponseException("server_error", "There was an error in the local logout", Response.Status.NOT_IMPLEMENTED);
    }

    private BackchannelLogoutResponse backchannelLogoutWithSessionId(String str, Stream<String> stream, boolean z, String str2) {
        AtomicReference atomicReference = new AtomicReference(new BackchannelLogoutResponse());
        ((BackchannelLogoutResponse) atomicReference.get()).setLocalLogoutSucceeded(true);
        stream.forEach(str3 -> {
            UserSessionModel userSessionModel = (UserSessionModel) LockObjectsForModification.lockUserSessionsForModification(this.session, () -> {
                return this.session.sessions().getUserSessionByBrokerSessionId(this.realm, str3 + "." + str);
            });
            if (z) {
                if (this.offlineSessionsLazyLoadingEnabled) {
                    logoutOfflineUserSessionByBrokerUserId(str3 + "." + str2, str3 + "." + str);
                } else {
                    logoutOfflineUserSession(str3 + "." + str);
                }
            }
            if (userSessionModel != null) {
                atomicReference.set(logoutUserSession(userSessionModel));
            }
        });
        return (BackchannelLogoutResponse) atomicReference.get();
    }

    private void logoutOfflineUserSession(String str) {
        UserSessionModel offlineUserSessionByBrokerSessionId = this.session.sessions().getOfflineUserSessionByBrokerSessionId(this.realm, str);
        if (offlineUserSessionByBrokerSessionId != null) {
            new UserSessionManager(this.session).revokeOfflineUserSession(offlineUserSessionByBrokerSessionId);
        }
    }

    private BackchannelLogoutResponse backchannelLogoutFederatedUserId(String str, Stream<String> stream, boolean z) {
        BackchannelLogoutResponse backchannelLogoutResponse = new BackchannelLogoutResponse();
        backchannelLogoutResponse.setLocalLogoutSucceeded(true);
        stream.forEach(str2 -> {
            if (z) {
                logoutOfflineUserSessions(str2 + "." + str);
            }
            ((List) this.session.sessions().getUserSessionByBrokerUserIdStream(this.realm, str2 + "." + str).collect(Collectors.toList())).forEach(userSessionModel -> {
                BackchannelLogoutResponse logoutUserSession = logoutUserSession(userSessionModel);
                backchannelLogoutResponse.setLocalLogoutSucceeded(backchannelLogoutResponse.getLocalLogoutSucceeded() && logoutUserSession.getLocalLogoutSucceeded());
                List<BackchannelLogoutResponse.DownStreamBackchannelLogoutResponse> clientResponses = logoutUserSession.getClientResponses();
                Objects.requireNonNull(backchannelLogoutResponse);
                clientResponses.forEach(backchannelLogoutResponse::addClientResponses);
            });
        });
        return backchannelLogoutResponse;
    }

    private void logoutOfflineUserSessions(String str) {
        UserSessionManager userSessionManager = new UserSessionManager(this.session);
        List list = (List) this.session.sessions().getOfflineUserSessionByBrokerUserIdStream(this.realm, str).collect(Collectors.toList());
        Objects.requireNonNull(userSessionManager);
        list.forEach(userSessionManager::revokeOfflineUserSession);
    }

    private void logoutOfflineUserSessionByBrokerUserId(String str, String str2) {
        UserSessionManager userSessionManager = new UserSessionManager(this.session);
        if (str == null || str2 == null) {
            return;
        }
        Stream filter = this.session.sessions().getOfflineUserSessionByBrokerUserIdStream(this.realm, str).filter(userSessionModel -> {
            return str2.equals(userSessionModel.getBrokerSessionId());
        });
        Objects.requireNonNull(userSessionManager);
        filter.forEach(userSessionManager::revokeOfflineUserSession);
    }

    private BackchannelLogoutResponse logoutUserSession(UserSessionModel userSessionModel) {
        BackchannelLogoutResponse backchannelLogout = AuthenticationManager.backchannelLogout(this.session, this.realm, userSessionModel, this.session.getContext().getUri(), this.clientConnection, this.headers, false);
        if (backchannelLogout.getLocalLogoutSucceeded()) {
            this.event.user(userSessionModel.getUser()).session(userSessionModel).success();
        }
        return backchannelLogout;
    }

    private boolean oneOrMoreDownstreamLogoutsFailed(BackchannelLogoutResponse backchannelLogoutResponse) {
        BackchannelLogoutResponse backchannelLogoutResponse2 = new BackchannelLogoutResponse();
        for (BackchannelLogoutResponse.DownStreamBackchannelLogoutResponse downStreamBackchannelLogoutResponse : backchannelLogoutResponse.getClientResponses()) {
            if (downStreamBackchannelLogoutResponse.isWithBackchannelLogoutUrl()) {
                backchannelLogoutResponse2.addClientResponses(downStreamBackchannelLogoutResponse);
            }
        }
        return backchannelLogoutResponse.getClientResponses().stream().filter((v0) -> {
            return v0.isWithBackchannelLogoutUrl();
        }).anyMatch(downStreamBackchannelLogoutResponse2 -> {
            return (downStreamBackchannelLogoutResponse2.getResponseCode().isPresent() && (downStreamBackchannelLogoutResponse2.getResponseCode().get().intValue() == Response.Status.OK.getStatusCode() || downStreamBackchannelLogoutResponse2.getResponseCode().get().intValue() == Response.Status.NO_CONTENT.getStatusCode())) ? false : true;
        });
    }

    private void logout(UserSessionModel userSessionModel, boolean z) {
        AuthenticationManager.backchannelLogout(this.session, this.realm, userSessionModel, this.session.getContext().getUri(), this.clientConnection, this.headers, true, z);
        this.event.user(userSessionModel.getUser()).session(userSessionModel).success();
    }

    private ClientModel authorizeClient() {
        ClientModel client = AuthorizeClientUtil.authorizeClient(this.session, this.event, this.cors).getClient();
        this.cors.allowedOrigins(this.session, client);
        if (client.isBearerOnly()) {
            throw new CorsErrorResponseException(this.cors, "invalid_client", "Bearer-only not allowed", Response.Status.BAD_REQUEST);
        }
        return client;
    }

    private void checkSsl() {
        if (!this.session.getContext().getUri().getBaseUri().getScheme().equals("https") && this.realm.getSslRequired().isRequired(this.clientConnection)) {
            throw new CorsErrorResponseException(this.cors.allowAllOrigins(), "invalid_request", "HTTPS required", Response.Status.FORBIDDEN);
        }
    }

    private void checkTokenIssuedAt(int i, UserSessionModel userSessionModel) throws OAuthErrorException {
        if (i + 1 < userSessionModel.getStarted()) {
            throw new OAuthErrorException("invalid_grant", "Toked issued before the user session started");
        }
    }

    private Response initiateBrowserLogout(UserSessionModel userSessionModel) {
        userSessionModel.setNote(AuthenticationManager.KEYCLOAK_LOGOUT_PROTOCOL, "openid-connect");
        logger.tracef("Calling initiateBrowserLogout for user session '%s'", userSessionModel.getId());
        Response browserLogout = AuthenticationManager.browserLogout(this.session, this.realm, userSessionModel, this.session.getContext().getUri(), this.clientConnection, this.headers);
        logger.tracef("Finished call of initiateBrowserLogout for user session '%s'", userSessionModel.getId());
        return browserLogout;
    }
}
