package io.quarkus.oidc.runtime;

import io.netty.handler.codec.http.HttpResponseStatus;
import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.oidc.AuthorizationCodeTokens;
import io.quarkus.oidc.IdTokenCredential;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.RefreshToken;
import io.quarkus.oidc.SecurityEvent;
import io.quarkus.oidc.common.runtime.OidcCommonUtils;
import io.quarkus.runtime.BlockingOperationControl;
import io.quarkus.security.AuthenticationCompletionException;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.AuthenticationRedirectException;
import io.quarkus.security.identity.IdentityProviderManager;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.quarkus.vertx.http.runtime.security.ChallengeData;
import io.smallrye.mutiny.Uni;
import io.vertx.core.http.Cookie;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.http.impl.ServerCookie;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.impl.CookieImpl;
import java.net.URI;
import java.security.Permission;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.UUID;
import java.util.function.BiFunction;
import java.util.function.Function;
import java.util.regex.Pattern;
import org.jboss.logging.Logger;
import org.jose4j.jwt.consumer.InvalidJwtException;

/* loaded from: input_file:io/quarkus/oidc/runtime/CodeAuthenticationMechanism.class */
public class CodeAuthenticationMechanism extends AbstractOidcAuthenticationMechanism {
    static final String AMP = "&";
    static final String EQ = "=";
    static final String COOKIE_DELIM = "|";
    static final String SESSION_COOKIE_NAME = "q_session";
    static final String SESSION_MAX_AGE_PARAM = "session-max-age";
    private static final String STATE_COOKIE_NAME = "q_auth";
    private static final String POST_LOGOUT_COOKIE_NAME = "q_post_logout";
    static final Pattern COOKIE_PATTERN = Pattern.compile("\\|");
    private static final Logger LOG = Logger.getLogger(CodeAuthenticationMechanism.class);

    /* JADX INFO: Access modifiers changed from: private */
    public static QuarkusSecurityIdentity augmentIdentity(final SecurityIdentity securityIdentity, String str, String str2, RoutingContext routingContext) {
        IdTokenCredential credential = securityIdentity.getCredential(IdTokenCredential.class);
        RefreshToken refreshToken = new RefreshToken(str2);
        return QuarkusSecurityIdentity.builder().setPrincipal(securityIdentity.getPrincipal()).addCredential(credential).addCredential(new AccessTokenCredential(str, refreshToken, routingContext)).addCredential(refreshToken).addRoles(securityIdentity.getRoles()).addAttributes(securityIdentity.getAttributes()).addPermissionChecker(new Function<Permission, Uni<Boolean>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.1
            @Override // java.util.function.Function
            public Uni<Boolean> apply(Permission permission) {
                return securityIdentity.checkPermission(permission);
            }
        }).build();
    }

    public Uni<SecurityIdentity> authenticate(final RoutingContext routingContext, final IdentityProviderManager identityProviderManager) {
        final Cookie cookie = routingContext.request().getCookie(getSessionCookieName(this.resolver.resolveConfig(routingContext)));
        if (cookie != null) {
            return this.resolver.resolveContext(routingContext).onItem().transformToUni(new Function<TenantConfigContext, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.2
                @Override // java.util.function.Function
                public Uni<SecurityIdentity> apply(TenantConfigContext tenantConfigContext) {
                    return CodeAuthenticationMechanism.this.reAuthenticate(cookie, routingContext, identityProviderManager, tenantConfigContext);
                }
            });
        }
        final String param = routingContext.request().getParam("code");
        return param == null ? Uni.createFrom().optional(Optional.empty()) : this.resolver.resolveContext(routingContext).onItem().transformToUni(new Function<TenantConfigContext, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.3
            @Override // java.util.function.Function
            public Uni<SecurityIdentity> apply(TenantConfigContext tenantConfigContext) {
                return CodeAuthenticationMechanism.this.performCodeFlow(identityProviderManager, routingContext, tenantConfigContext, param);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Uni<SecurityIdentity> reAuthenticate(Cookie cookie, final RoutingContext routingContext, final IdentityProviderManager identityProviderManager, final TenantConfigContext tenantConfigContext) {
        final AuthorizationCodeTokens tokens = this.resolver.getTokenStateManager().getTokens(routingContext, tenantConfigContext.oidcConfig, cookie.getValue());
        routingContext.put("access_token", tokens.getAccessToken());
        return authenticate(identityProviderManager, new IdTokenCredential(tokens.getIdToken(), routingContext)).map(new Function<SecurityIdentity, SecurityIdentity>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.5
            @Override // java.util.function.Function
            public SecurityIdentity apply(SecurityIdentity securityIdentity) {
                if (!CodeAuthenticationMechanism.this.isLogout(routingContext, tenantConfigContext)) {
                    return CodeAuthenticationMechanism.augmentIdentity(securityIdentity, tokens.getAccessToken(), tokens.getRefreshToken(), routingContext);
                }
                CodeAuthenticationMechanism.this.fireEvent(SecurityEvent.Type.OIDC_LOGOUT_RP_INITIATED, securityIdentity);
                throw CodeAuthenticationMechanism.this.redirectToLogoutEndpoint(routingContext, tenantConfigContext, tokens.getIdToken());
            }
        }).onFailure().recoverWithUni(new Function<Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.4
            @Override // java.util.function.Function
            public Uni<? extends SecurityIdentity> apply(Throwable th) {
                if (th instanceof AuthenticationRedirectException) {
                    throw ((AuthenticationRedirectException) th);
                }
                if (th instanceof TokenAutoRefreshException) {
                    return CodeAuthenticationMechanism.this.refreshSecurityIdentity(tenantConfigContext, tokens.getRefreshToken(), routingContext, identityProviderManager, true, ((TokenAutoRefreshException) th).getSecurityIdentity());
                }
                if (!((th.getCause() instanceof InvalidJwtException) && th.getCause().hasErrorCode(1))) {
                    CodeAuthenticationMechanism.LOG.debugf("Authentication failure: %s", th.getCause());
                    throw new AuthenticationCompletionException(th.getCause());
                }
                if (tenantConfigContext.oidcConfig.token.refreshExpired) {
                    CodeAuthenticationMechanism.LOG.debug("Token has expired, trying to refresh it");
                    return CodeAuthenticationMechanism.this.refreshSecurityIdentity(tenantConfigContext, tokens.getRefreshToken(), routingContext, identityProviderManager, false, null);
                }
                CodeAuthenticationMechanism.LOG.debug("Token has expired, token refresh is not allowed");
                throw new AuthenticationCompletionException(th.getCause());
            }
        });
    }

    private boolean isJavaScript(RoutingContext routingContext) {
        String header = routingContext.request().getHeader("X-Requested-With");
        return "JavaScript".equals(header) || "XMLHttpRequest".equals(header);
    }

    private boolean shouldAutoRedirect(TenantConfigContext tenantConfigContext, RoutingContext routingContext) {
        if (isJavaScript(routingContext)) {
            return tenantConfigContext.oidcConfig.authentication.javaScriptAutoRedirect;
        }
        return true;
    }

    public Uni<ChallengeData> getChallenge(final RoutingContext routingContext) {
        return this.resolver.resolveContext(routingContext).onItem().transformToUni(new Function<TenantConfigContext, Uni<? extends ChallengeData>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.6
            @Override // java.util.function.Function
            public Uni<ChallengeData> apply(TenantConfigContext tenantConfigContext) {
                return CodeAuthenticationMechanism.this.getChallengeInternal(routingContext, tenantConfigContext);
            }
        });
    }

    public Uni<ChallengeData> getChallengeInternal(RoutingContext routingContext, TenantConfigContext tenantConfigContext) {
        removeCookie(routingContext, tenantConfigContext, getSessionCookieName(tenantConfigContext.oidcConfig));
        if (!shouldAutoRedirect(tenantConfigContext, routingContext)) {
            return Uni.createFrom().item(new ChallengeData(499, "WWW-Authenticate", "OIDC"));
        }
        StringBuilder sb = new StringBuilder();
        sb.append("response_type").append(EQ).append("code");
        sb.append(AMP).append("client_id").append(EQ).append(OidcCommonUtils.urlEncode((String) tenantConfigContext.oidcConfig.clientId.get()));
        ArrayList arrayList = new ArrayList();
        arrayList.add("openid");
        Optional<List<String>> optional = tenantConfigContext.oidcConfig.getAuthentication().scopes;
        arrayList.getClass();
        optional.ifPresent((v1) -> {
            r1.addAll(v1);
        });
        sb.append(AMP).append("scope").append(EQ).append(OidcCommonUtils.urlEncode(String.join(" ", arrayList)));
        String redirectPath = getRedirectPath(tenantConfigContext, routingContext);
        String buildUri = buildUri(routingContext, isForceHttps(tenantConfigContext), redirectPath);
        LOG.debugf("Authentication request redirect_uri parameter: %s", buildUri);
        sb.append(AMP).append("redirect_uri").append(EQ).append(OidcCommonUtils.urlEncode(buildUri));
        sb.append(AMP).append("state").append(EQ).append(generateCodeFlowState(routingContext, tenantConfigContext, redirectPath));
        if (tenantConfigContext.oidcConfig.authentication.getExtraParams() != null) {
            for (Map.Entry<String, String> entry : tenantConfigContext.oidcConfig.authentication.getExtraParams().entrySet()) {
                sb.append(AMP).append(entry.getKey()).append(EQ).append(OidcCommonUtils.urlEncode(entry.getValue()));
            }
        }
        return Uni.createFrom().item(new ChallengeData(HttpResponseStatus.FOUND.code(), HttpHeaders.LOCATION, tenantConfigContext.provider.getMetadata().getAuthorizationUri() + "?" + sb.toString()));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Uni<SecurityIdentity> performCodeFlow(final IdentityProviderManager identityProviderManager, final RoutingContext routingContext, final TenantConfigContext tenantConfigContext, String str) {
        io.vertx.ext.web.Cookie cookie = routingContext.getCookie(getStateCookieName(tenantConfigContext));
        String str2 = null;
        String str3 = null;
        if (cookie == null) {
            LOG.debug("The state cookie is missing after a redirect from IDP, authentication has failed");
            return Uni.createFrom().failure(new AuthenticationCompletionException());
        }
        List queryParam = routingContext.queryParam("state");
        if (queryParam.size() != 1) {
            LOG.debug("State parameter can not be empty or multi-valued");
            return Uni.createFrom().failure(new AuthenticationCompletionException());
        }
        if (!cookie.getValue().startsWith((String) queryParam.get(0))) {
            LOG.debug("State cookie value does not match the state query parameter value");
            return Uni.createFrom().failure(new AuthenticationCompletionException());
        }
        String[] split = COOKIE_PATTERN.split(cookie.getValue());
        if (split.length == 2) {
            int indexOf = split[1].indexOf("?");
            if (indexOf >= 0) {
                str2 = split[1].substring(0, indexOf);
                if (indexOf + 1 < split[1].length()) {
                    str3 = split[1].substring(indexOf + 1);
                }
            } else {
                str2 = split[1];
            }
        }
        removeCookie(routingContext, tenantConfigContext, getStateCookieName(tenantConfigContext));
        final String str4 = str2;
        final String str5 = str3;
        return getCodeFlowTokensUni(routingContext, tenantConfigContext, str).onItemOrFailure().transformToUni(new BiFunction<AuthorizationCodeTokens, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.7
            @Override // java.util.function.BiFunction
            public Uni<SecurityIdentity> apply(final AuthorizationCodeTokens authorizationCodeTokens, Throwable th) {
                if (th != null) {
                    CodeAuthenticationMechanism.LOG.debugf("Exception during the code to token exchange: %s", th.getMessage());
                    return Uni.createFrom().failure(new AuthenticationCompletionException(th));
                }
                routingContext.put("new_authentication", Boolean.TRUE);
                routingContext.put("access_token", authorizationCodeTokens.getAccessToken());
                return CodeAuthenticationMechanism.this.authenticate(identityProviderManager, new IdTokenCredential(authorizationCodeTokens.getIdToken(), routingContext)).map(new Function<SecurityIdentity, SecurityIdentity>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.7.2
                    @Override // java.util.function.Function
                    public SecurityIdentity apply(SecurityIdentity securityIdentity) {
                        CodeAuthenticationMechanism.this.processSuccessfulAuthentication(routingContext, tenantConfigContext, authorizationCodeTokens, securityIdentity);
                        boolean isRemoveRedirectParameters = tenantConfigContext.oidcConfig.authentication.isRemoveRedirectParameters();
                        if (!isRemoveRedirectParameters && str4 == null && str5 == null) {
                            return CodeAuthenticationMechanism.augmentIdentity(securityIdentity, authorizationCodeTokens.getAccessToken(), authorizationCodeTokens.getRefreshToken(), routingContext);
                        }
                        URI create = URI.create(routingContext.request().absoluteURI());
                        StringBuilder sb = new StringBuilder(CodeAuthenticationMechanism.this.buildUri(routingContext, CodeAuthenticationMechanism.this.isForceHttps(tenantConfigContext), create.getAuthority(), str4 != null ? str4 : create.getRawPath()));
                        if (!isRemoveRedirectParameters) {
                            sb.append('?').append(create.getRawQuery());
                        }
                        if (str5 != null) {
                            sb.append(!isRemoveRedirectParameters ? "" : "?");
                            sb.append(str5);
                        }
                        String sb2 = sb.toString();
                        CodeAuthenticationMechanism.LOG.debugf("Final redirect URI: %s", sb2);
                        throw new AuthenticationRedirectException(sb2);
                    }
                }).onFailure().transform(new Function<Throwable, Throwable>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.7.1
                    @Override // java.util.function.Function
                    public Throwable apply(Throwable th2) {
                        return th2 instanceof AuthenticationRedirectException ? th2 : new AuthenticationCompletionException(th2);
                    }
                });
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void processSuccessfulAuthentication(RoutingContext routingContext, TenantConfigContext tenantConfigContext, AuthorizationCodeTokens authorizationCodeTokens, SecurityIdentity securityIdentity) {
        removeCookie(routingContext, tenantConfigContext, getSessionCookieName(tenantConfigContext.oidcConfig));
        JsonObject decodeJwtContent = OidcUtils.decodeJwtContent(authorizationCodeTokens.getIdToken());
        if (!decodeJwtContent.containsKey("exp") || !decodeJwtContent.containsKey("iat")) {
            LOG.debug("ID Token is required to contain 'exp' and 'iat' claims");
            throw new AuthenticationCompletionException();
        }
        long longValue = decodeJwtContent.getLong("exp").longValue() - decodeJwtContent.getLong("iat").longValue();
        if (tenantConfigContext.oidcConfig.token.lifespanGrace.isPresent()) {
            longValue += tenantConfigContext.oidcConfig.token.lifespanGrace.getAsInt();
        }
        if (tenantConfigContext.oidcConfig.token.refreshExpired) {
            longValue += tenantConfigContext.oidcConfig.authentication.sessionAgeExtension.getSeconds();
        }
        routingContext.put(SESSION_MAX_AGE_PARAM, Long.valueOf(longValue));
        createCookie(routingContext, tenantConfigContext.oidcConfig, getSessionCookieName(tenantConfigContext.oidcConfig), this.resolver.getTokenStateManager().createTokenState(routingContext, tenantConfigContext.oidcConfig, authorizationCodeTokens), longValue);
        fireEvent(SecurityEvent.Type.OIDC_LOGIN, securityIdentity);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void fireEvent(SecurityEvent.Type type, SecurityIdentity securityIdentity) {
        if (this.resolver.isSecurityEventObserved()) {
            this.resolver.getSecurityEvent().fire(new SecurityEvent(type, securityIdentity));
        }
    }

    private String getRedirectPath(TenantConfigContext tenantConfigContext, RoutingContext routingContext) {
        OidcTenantConfig.Authentication authentication = tenantConfigContext.oidcConfig.getAuthentication();
        return authentication.getRedirectPath().isPresent() ? authentication.getRedirectPath().get() : routingContext.request().path();
    }

    private String generateCodeFlowState(RoutingContext routingContext, TenantConfigContext tenantConfigContext, String str) {
        String uuid = UUID.randomUUID().toString();
        String str2 = uuid;
        OidcTenantConfig.Authentication authentication = tenantConfigContext.oidcConfig.getAuthentication();
        if (authentication.isRestorePathAfterRedirect() || !authentication.redirectPath.isPresent()) {
            String query = routingContext.request().query();
            String path = (str.equals(routingContext.request().path()) && query == null) ? "" : routingContext.request().path();
            if (query != null) {
                path = path + "?" + query;
            }
            if (!path.isEmpty()) {
                str2 = str2 + COOKIE_DELIM + path;
            }
        }
        createCookie(routingContext, tenantConfigContext.oidcConfig, getStateCookieName(tenantConfigContext), str2, 1800L);
        return uuid;
    }

    private String generatePostLogoutState(RoutingContext routingContext, TenantConfigContext tenantConfigContext) {
        removeCookie(routingContext, tenantConfigContext, getPostLogoutCookieName(tenantConfigContext));
        return createCookie(routingContext, tenantConfigContext.oidcConfig, getPostLogoutCookieName(tenantConfigContext), UUID.randomUUID().toString(), 1800L).getValue();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ServerCookie createCookie(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig, String str, String str2, long j) {
        CookieImpl cookieImpl = new CookieImpl(str, str2);
        cookieImpl.setHttpOnly(true);
        cookieImpl.setSecure(oidcTenantConfig.authentication.cookieForceSecure || routingContext.request().isSSL());
        cookieImpl.setMaxAge(j);
        LOG.debugf(str + " cookie 'max-age' parameter is set to %d", j);
        OidcTenantConfig.Authentication authentication = oidcTenantConfig.getAuthentication();
        setCookiePath(routingContext, authentication, cookieImpl);
        if (authentication.cookieDomain.isPresent()) {
            cookieImpl.setDomain(authentication.getCookieDomain().get());
        }
        routingContext.response().addCookie(cookieImpl);
        return cookieImpl;
    }

    static void setCookiePath(RoutingContext routingContext, OidcTenantConfig.Authentication authentication, ServerCookie serverCookie) {
        if (authentication.cookiePathHeader.isPresent() && routingContext.request().headers().contains(authentication.cookiePathHeader.get())) {
            serverCookie.setPath(routingContext.request().getHeader(authentication.cookiePathHeader.get()));
        } else {
            serverCookie.setPath(authentication.getCookiePath());
        }
    }

    private String buildUri(RoutingContext routingContext, boolean z, String str) {
        return buildUri(routingContext, z, URI.create(routingContext.request().absoluteURI()).getAuthority(), str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String buildUri(RoutingContext routingContext, boolean z, String str, String str2) {
        String header;
        String scheme = z ? "https" : routingContext.request().scheme();
        String str3 = "";
        if (this.resolver.isEnableHttpForwardedPrefix() && (header = routingContext.request().getHeader("X-Forwarded-Prefix")) != null && !header.equals("/") && !header.equals("//")) {
            str3 = header;
            if (str3.endsWith("/")) {
                str3 = str3.substring(0, str3.length() - 1);
            }
        }
        return scheme + "://" + str + str3 + str2;
    }

    private void removeCookie(RoutingContext routingContext, TenantConfigContext tenantConfigContext, String str) {
        ServerCookie serverCookie = (ServerCookie) routingContext.cookieMap().get(str);
        if (serverCookie != null) {
            if (SESSION_COOKIE_NAME.equals(str)) {
                this.resolver.getTokenStateManager().deleteTokens(routingContext, tenantConfigContext.oidcConfig, serverCookie.getValue());
            }
            removeCookie(routingContext, serverCookie, tenantConfigContext.oidcConfig);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void removeCookie(RoutingContext routingContext, ServerCookie serverCookie, OidcTenantConfig oidcTenantConfig) {
        if (serverCookie != null) {
            serverCookie.setValue("");
            serverCookie.setMaxAge(0L);
            OidcTenantConfig.Authentication authentication = oidcTenantConfig.getAuthentication();
            setCookiePath(routingContext, authentication, serverCookie);
            if (authentication.cookieDomain.isPresent()) {
                serverCookie.setDomain(authentication.cookieDomain.get());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isLogout(RoutingContext routingContext, TenantConfigContext tenantConfigContext) {
        Optional<String> optional = tenantConfigContext.oidcConfig.logout.path;
        if (optional.isPresent()) {
            return routingContext.request().absoluteURI().equals(buildUri(routingContext, false, optional.get()));
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Uni<SecurityIdentity> refreshSecurityIdentity(final TenantConfigContext tenantConfigContext, String str, final RoutingContext routingContext, final IdentityProviderManager identityProviderManager, final boolean z, SecurityIdentity securityIdentity) {
        return refreshTokensUni(tenantConfigContext, str).onItemOrFailure().transformToUni(new BiFunction<AuthorizationCodeTokens, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.8
            @Override // java.util.function.BiFunction
            public Uni<SecurityIdentity> apply(final AuthorizationCodeTokens authorizationCodeTokens, Throwable th) {
                if (th == null) {
                    routingContext.put("access_token", authorizationCodeTokens.getAccessToken());
                    routingContext.put("refresh_token_grant_response", Boolean.TRUE);
                    return CodeAuthenticationMechanism.this.authenticate(identityProviderManager, new IdTokenCredential(authorizationCodeTokens.getIdToken(), routingContext)).map(new Function<SecurityIdentity, SecurityIdentity>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.8.2
                        @Override // java.util.function.Function
                        public SecurityIdentity apply(SecurityIdentity securityIdentity2) {
                            CodeAuthenticationMechanism.this.processSuccessfulAuthentication(routingContext, tenantConfigContext, authorizationCodeTokens, securityIdentity2);
                            QuarkusSecurityIdentity augmentIdentity = CodeAuthenticationMechanism.augmentIdentity(securityIdentity2, authorizationCodeTokens.getAccessToken(), authorizationCodeTokens.getRefreshToken(), routingContext);
                            CodeAuthenticationMechanism.this.fireEvent(z ? SecurityEvent.Type.OIDC_SESSION_REFRESHED : SecurityEvent.Type.OIDC_SESSION_EXPIRED_AND_REFRESHED, augmentIdentity);
                            return augmentIdentity;
                        }
                    }).onFailure().transform(new Function<Throwable, Throwable>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.8.1
                        @Override // java.util.function.Function
                        public Throwable apply(Throwable th2) {
                            return new AuthenticationFailedException(th2);
                        }
                    });
                }
                CodeAuthenticationMechanism.LOG.debugf("ID token refresh has failed: %s", th.getMessage());
                if (!z) {
                    return Uni.createFrom().failure(new AuthenticationFailedException(th));
                }
                CodeAuthenticationMechanism.LOG.debug("Using the current SecurityIdentity since the ID token is still valid");
                return Uni.createFrom().item(((TokenAutoRefreshException) th).getSecurityIdentity());
            }
        });
    }

    private Uni<AuthorizationCodeTokens> refreshTokensUni(TenantConfigContext tenantConfigContext, String str) {
        return tenantConfigContext.provider.refreshTokens(str).plug(uni -> {
            return !BlockingOperationControl.isBlockingAllowed() ? uni.runSubscriptionOn(this.resolver.getBlockingExecutor()) : uni;
        });
    }

    private Uni<AuthorizationCodeTokens> getCodeFlowTokensUni(RoutingContext routingContext, TenantConfigContext tenantConfigContext, String str) {
        String buildUri = buildUri(routingContext, isForceHttps(tenantConfigContext), getRedirectPath(tenantConfigContext, routingContext));
        LOG.debugf("Token request redirect_uri parameter: %s", buildUri);
        return tenantConfigContext.provider.getCodeFlowTokens(str, buildUri).plug(uni -> {
            return !BlockingOperationControl.isBlockingAllowed() ? uni.runSubscriptionOn(this.resolver.getBlockingExecutor()) : uni;
        });
    }

    private String buildLogoutRedirectUri(TenantConfigContext tenantConfigContext, String str, RoutingContext routingContext) {
        StringBuilder append = new StringBuilder(tenantConfigContext.provider.getMetadata().getEndSessionUri()).append("?").append("id_token_hint=").append(str);
        if (tenantConfigContext.oidcConfig.logout.postLogoutPath.isPresent()) {
            append.append("&post_logout_redirect_uri=").append(buildUri(routingContext, isForceHttps(tenantConfigContext), tenantConfigContext.oidcConfig.logout.postLogoutPath.get()));
            append.append("&state=").append(generatePostLogoutState(routingContext, tenantConfigContext));
        }
        return append.toString();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isForceHttps(TenantConfigContext tenantConfigContext) {
        return tenantConfigContext.oidcConfig.authentication.forceRedirectHttpsScheme;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AuthenticationRedirectException redirectToLogoutEndpoint(RoutingContext routingContext, TenantConfigContext tenantConfigContext, String str) {
        removeCookie(routingContext, tenantConfigContext, getSessionCookieName(tenantConfigContext.oidcConfig));
        return new AuthenticationRedirectException(buildLogoutRedirectUri(tenantConfigContext, str, routingContext));
    }

    private static String getStateCookieName(TenantConfigContext tenantConfigContext) {
        return STATE_COOKIE_NAME + getCookieSuffix(tenantConfigContext.oidcConfig.tenantId.get());
    }

    private static String getPostLogoutCookieName(TenantConfigContext tenantConfigContext) {
        return POST_LOGOUT_COOKIE_NAME + getCookieSuffix(tenantConfigContext.oidcConfig.tenantId.get());
    }

    private static String getSessionCookieName(OidcTenantConfig oidcTenantConfig) {
        return SESSION_COOKIE_NAME + getCookieSuffix(oidcTenantConfig.tenantId.get());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getCookieSuffix(String str) {
        return !"Default".equals(str) ? "_" + str : "";
    }
}
