package io.quarkus.oidc.runtime;

import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.oidc.IdTokenCredential;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.TokenIntrospection;
import io.quarkus.oidc.TokenIntrospectionCache;
import io.quarkus.oidc.UserInfo;
import io.quarkus.oidc.UserInfoCache;
import io.quarkus.security.AuthenticationCompletionException;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.credential.TokenCredential;
import io.quarkus.security.identity.AuthenticationRequestContext;
import io.quarkus.security.identity.IdentityProvider;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.request.TokenAuthenticationRequest;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.quarkus.security.spi.runtime.BlockingSecurityExecutor;
import io.quarkus.vertx.http.runtime.security.HttpSecurityUtils;
import io.smallrye.mutiny.Uni;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.context.ApplicationScoped;
import java.security.Principal;
import java.util.Map;
import java.util.Set;
import java.util.function.BiFunction;
import java.util.function.Function;
import java.util.function.Supplier;
import org.eclipse.microprofile.jwt.Claims;
import org.jboss.logging.Logger;
import org.jose4j.lang.UnresolvableKeyException;

@ApplicationScoped
/* loaded from: input_file:io/quarkus/oidc/runtime/OidcIdentityProvider.class */
public class OidcIdentityProvider implements IdentityProvider<TokenAuthenticationRequest> {
    static final String REFRESH_TOKEN_GRANT_RESPONSE = "refresh_token_grant_response";
    static final String NEW_AUTHENTICATION = "new_authentication";
    private static final String CODE_ACCESS_TOKEN_RESULT = "code_flow_access_token_result";
    protected final DefaultTenantConfigResolver tenantResolver;
    private final BlockingTaskRunner<Void> uniVoidOidcContext;
    private final BlockingTaskRunner<TokenIntrospection> getIntrospectionRequestContext;
    private final BlockingTaskRunner<UserInfo> getUserInfoRequestContext;
    private static final Logger LOG = Logger.getLogger(OidcIdentityProvider.class);
    private static final Uni<TokenVerificationResult> NULL_CODE_ACCESS_TOKEN_UNI = Uni.createFrom().nullItem();

    /* JADX INFO: Access modifiers changed from: package-private */
    public OidcIdentityProvider(DefaultTenantConfigResolver defaultTenantConfigResolver, BlockingSecurityExecutor blockingSecurityExecutor) {
        this.tenantResolver = defaultTenantConfigResolver;
        this.uniVoidOidcContext = new BlockingTaskRunner<>(blockingSecurityExecutor);
        this.getIntrospectionRequestContext = new BlockingTaskRunner<>(blockingSecurityExecutor);
        this.getUserInfoRequestContext = new BlockingTaskRunner<>(blockingSecurityExecutor);
    }

    public Class<TokenAuthenticationRequest> getRequestType() {
        return TokenAuthenticationRequest.class;
    }

    public Uni<SecurityIdentity> authenticate(final TokenAuthenticationRequest tokenAuthenticationRequest, AuthenticationRequestContext authenticationRequestContext) {
        if (!(tokenAuthenticationRequest.getToken() instanceof AccessTokenCredential) && !(tokenAuthenticationRequest.getToken() instanceof IdTokenCredential)) {
            return Uni.createFrom().nullItem();
        }
        LOG.debug("Starting creating SecurityIdentity");
        return resolveTenantConfigContext(tokenAuthenticationRequest, authenticationRequestContext).onItem().transformToUni(new Function<TenantConfigContext, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.1
            @Override // java.util.function.Function
            public Uni<SecurityIdentity> apply(final TenantConfigContext tenantConfigContext) {
                return Uni.createFrom().deferred(new Supplier<Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.1.1
                    @Override // java.util.function.Supplier
                    /* renamed from: get, reason: merged with bridge method [inline-methods] */
                    public Uni<? extends SecurityIdentity> get2() {
                        return OidcIdentityProvider.this.authenticate(tokenAuthenticationRequest, OidcIdentityProvider.this.getRequestData(tokenAuthenticationRequest), tenantConfigContext);
                    }
                });
            }
        });
    }

    protected Uni<TenantConfigContext> resolveTenantConfigContext(TokenAuthenticationRequest tokenAuthenticationRequest, AuthenticationRequestContext authenticationRequestContext) {
        return this.tenantResolver.resolveContext(HttpSecurityUtils.getRoutingContextAttribute(tokenAuthenticationRequest).put(AuthenticationRequestContext.class.getName(), authenticationRequestContext));
    }

    protected Map<String, Object> getRequestData(TokenAuthenticationRequest tokenAuthenticationRequest) {
        return HttpSecurityUtils.getRoutingContextAttribute(tokenAuthenticationRequest).data();
    }

    private Uni<SecurityIdentity> authenticate(TokenAuthenticationRequest tokenAuthenticationRequest, Map<String, Object> map, TenantConfigContext tenantConfigContext) {
        if (tenantConfigContext.oidcConfig.publicKey.isPresent()) {
            LOG.debug("Performing token verification with a configured public key");
            return validateTokenWithoutOidcServer(tokenAuthenticationRequest, tenantConfigContext);
        }
        if (!tenantConfigContext.oidcConfig.getCertificateChain().trustStoreFile.isPresent()) {
            return validateAllTokensWithOidcServer(map, tokenAuthenticationRequest, tenantConfigContext);
        }
        LOG.debug("Performing token verification with a public key inlined in the certificate chain");
        return validateTokenWithoutOidcServer(tokenAuthenticationRequest, tenantConfigContext);
    }

    private Uni<SecurityIdentity> validateAllTokensWithOidcServer(final Map<String, Object> map, final TokenAuthenticationRequest tokenAuthenticationRequest, final TenantConfigContext tenantConfigContext) {
        if (tenantConfigContext.oidcConfig.token.verifyAccessTokenWithUserInfo.orElse(false).booleanValue() && isOpaqueAccessToken(map, tokenAuthenticationRequest, tenantConfigContext)) {
            return tenantConfigContext.oidcConfig.authentication.isUserInfoRequired().orElse(false).booleanValue() ? getUserInfoUni(map, tokenAuthenticationRequest, tenantConfigContext).onItemOrFailure().transformToUni(new BiFunction<UserInfo, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.2
                @Override // java.util.function.BiFunction
                public Uni<SecurityIdentity> apply(UserInfo userInfo, Throwable th) {
                    return th != null ? Uni.createFrom().failure(new AuthenticationFailedException(th)) : OidcIdentityProvider.this.validateTokenWithUserInfoAndCreateIdentity(map, tokenAuthenticationRequest, tenantConfigContext, userInfo);
                }
            }) : validateTokenWithUserInfoAndCreateIdentity(map, tokenAuthenticationRequest, tenantConfigContext, null);
        }
        final Uni<TokenVerificationResult> item = isInternalIdToken(tokenAuthenticationRequest) ? map.get(NEW_AUTHENTICATION) == Boolean.TRUE ? Uni.createFrom().item(new TokenVerificationResult(OidcUtils.decodeJwtContent(tokenAuthenticationRequest.getToken().getToken()), null)) : verifySelfSignedTokenUni(tenantConfigContext, tokenAuthenticationRequest.getToken().getToken()) : verifyTokenUni(map, tenantConfigContext, tokenAuthenticationRequest.getToken(), isIdToken(tokenAuthenticationRequest), null);
        return verifyCodeFlowAccessTokenUni(map, tokenAuthenticationRequest, tenantConfigContext, null).onItemOrFailure().transformToUni(new BiFunction<TokenVerificationResult, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.3
            @Override // java.util.function.BiFunction
            public Uni<SecurityIdentity> apply(TokenVerificationResult tokenVerificationResult, Throwable th) {
                if (th != null) {
                    return Uni.createFrom().failure(th instanceof AuthenticationFailedException ? th : new AuthenticationFailedException(th));
                }
                if (tokenVerificationResult != null) {
                    if (OidcIdentityProvider.tokenAutoRefreshPrepared(tokenVerificationResult, map, tenantConfigContext.oidcConfig)) {
                        return Uni.createFrom().failure(new TokenAutoRefreshException(null));
                    }
                    map.put(OidcIdentityProvider.CODE_ACCESS_TOKEN_RESULT, tokenVerificationResult);
                }
                return OidcIdentityProvider.this.getUserInfoAndCreateIdentity(item, map, tokenAuthenticationRequest, tenantConfigContext);
            }
        });
    }

    private Uni<SecurityIdentity> validateTokenWithUserInfoAndCreateIdentity(final Map<String, Object> map, final TokenAuthenticationRequest tokenAuthenticationRequest, final TenantConfigContext tenantConfigContext, final UserInfo userInfo) {
        return verifyCodeFlowAccessTokenUni(map, tokenAuthenticationRequest, tenantConfigContext, userInfo).onItemOrFailure().transformToUni(new BiFunction<TokenVerificationResult, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.4
            @Override // java.util.function.BiFunction
            public Uni<SecurityIdentity> apply(TokenVerificationResult tokenVerificationResult, Throwable th) {
                if (th != null) {
                    return Uni.createFrom().failure(new AuthenticationFailedException(th));
                }
                if (tokenVerificationResult != null) {
                    map.put(OidcIdentityProvider.CODE_ACCESS_TOKEN_RESULT, tokenVerificationResult);
                }
                return OidcIdentityProvider.this.verifyTokenUni(map, tenantConfigContext, tokenAuthenticationRequest.getToken(), false, userInfo).onItemOrFailure().transformToUni(new BiFunction<TokenVerificationResult, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.4.1
                    @Override // java.util.function.BiFunction
                    public Uni<SecurityIdentity> apply(TokenVerificationResult tokenVerificationResult2, Throwable th2) {
                        return th2 != null ? Uni.createFrom().failure(new AuthenticationFailedException(th2)) : OidcIdentityProvider.this.createSecurityIdentityWithOidcServer(tokenVerificationResult2, map, tokenAuthenticationRequest, tenantConfigContext, userInfo);
                    }
                });
            }
        });
    }

    private Uni<SecurityIdentity> getUserInfoAndCreateIdentity(Uni<TokenVerificationResult> uni, final Map<String, Object> map, final TokenAuthenticationRequest tokenAuthenticationRequest, final TenantConfigContext tenantConfigContext) {
        return uni.onItemOrFailure().transformToUni(new BiFunction<TokenVerificationResult, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.5
            @Override // java.util.function.BiFunction
            public Uni<SecurityIdentity> apply(final TokenVerificationResult tokenVerificationResult, Throwable th) {
                return th != null ? Uni.createFrom().failure(new AuthenticationFailedException(th)) : tenantConfigContext.oidcConfig.authentication.isUserInfoRequired().orElse(false).booleanValue() ? OidcIdentityProvider.this.getUserInfoUni(map, tokenAuthenticationRequest, tenantConfigContext).onItemOrFailure().transformToUni(new BiFunction<UserInfo, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.5.1
                    @Override // java.util.function.BiFunction
                    public Uni<SecurityIdentity> apply(UserInfo userInfo, Throwable th2) {
                        return th2 != null ? Uni.createFrom().failure(new AuthenticationFailedException(th2)) : OidcIdentityProvider.this.createSecurityIdentityWithOidcServer(tokenVerificationResult, map, tokenAuthenticationRequest, tenantConfigContext, userInfo);
                    }
                }) : OidcIdentityProvider.this.createSecurityIdentityWithOidcServer(tokenVerificationResult, map, tokenAuthenticationRequest, tenantConfigContext, null);
            }
        });
    }

    private boolean isOpaqueAccessToken(Map<String, Object> map, TokenAuthenticationRequest tokenAuthenticationRequest, TenantConfigContext tenantConfigContext) {
        if (tokenAuthenticationRequest.getToken() instanceof AccessTokenCredential) {
            return ((AccessTokenCredential) tokenAuthenticationRequest.getToken()).isOpaque();
        }
        if (!(tokenAuthenticationRequest.getToken() instanceof IdTokenCredential)) {
            return false;
        }
        if (tenantConfigContext.oidcConfig.authentication.verifyAccessToken || tenantConfigContext.oidcConfig.roles.source.orElse(null) == OidcTenantConfig.Roles.Source.accesstoken) {
            return OidcUtils.isOpaqueToken((String) map.get("access_token"));
        }
        return false;
    }

    private Uni<SecurityIdentity> createSecurityIdentityWithOidcServer(TokenVerificationResult tokenVerificationResult, Map<String, Object> map, TokenAuthenticationRequest tokenAuthenticationRequest, TenantConfigContext tenantConfigContext, UserInfo userInfo) {
        String str;
        TokenCredential token = tokenAuthenticationRequest.getToken();
        JsonObject jsonObject = tokenVerificationResult.localVerificationResult;
        if (jsonObject == null) {
            jsonObject = OidcUtils.decodeJwtContent(token.getToken());
        }
        if (jsonObject != null) {
            try {
                OidcUtils.validatePrimaryJwtTokenType(tenantConfigContext.oidcConfig.token, jsonObject);
                if (userInfo != null && tenantConfigContext.oidcConfig.token.isSubjectRequired() && !jsonObject.getString(Claims.sub.name()).equals(userInfo.getString(Claims.sub.name()))) {
                    return Uni.createFrom().failure(new AuthenticationCompletionException(String.format("Token and UserInfo do not have matching `sub` claims", new Object[0])));
                }
                QuarkusSecurityIdentity validateAndCreateIdentity = OidcUtils.validateAndCreateIdentity(map, token, tenantConfigContext, jsonObject, getRolesJson(map, tenantConfigContext, token, jsonObject, userInfo), userInfo, tokenVerificationResult.introspectionResult, tokenAuthenticationRequest);
                return (isIdToken(tokenAuthenticationRequest) && tokenAutoRefreshPrepared(tokenVerificationResult, map, tenantConfigContext.oidcConfig)) ? Uni.createFrom().failure(new TokenAutoRefreshException(validateAndCreateIdentity)) : Uni.createFrom().item(validateAndCreateIdentity);
            } catch (Throwable th) {
                return Uni.createFrom().failure(new AuthenticationFailedException(th));
            }
        }
        if (isIdToken(tokenAuthenticationRequest) || ((token instanceof AccessTokenCredential) && !((AccessTokenCredential) token).isOpaque())) {
            return Uni.createFrom().failure(new AuthenticationFailedException("JWT token can not be converted to JSON"));
        }
        QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder();
        builder.addCredential(token);
        OidcUtils.setSecurityIdentityUserInfo(builder, userInfo);
        OidcUtils.setSecurityIdentityConfigMetadata(builder, tenantConfigContext);
        if (tokenVerificationResult.introspectionResult != null) {
            OidcUtils.setSecurityIdentityIntrospection(builder, tokenVerificationResult.introspectionResult);
            String username = tokenVerificationResult.introspectionResult.getUsername();
            if (username == null) {
                username = tokenVerificationResult.introspectionResult.getSubject();
            }
            str = username != null ? username : "";
            Set<String> scopes = tokenVerificationResult.introspectionResult.getScopes();
            if (scopes != null) {
                builder.addRoles(scopes);
                OidcUtils.addTokenScopesAsPermissions(builder, scopes);
            }
        } else {
            if (!tenantConfigContext.oidcConfig.token.allowOpaqueTokenIntrospection || !tenantConfigContext.oidcConfig.token.verifyAccessTokenWithUserInfo.orElse(false).booleanValue()) {
                LOG.debug("Illegal state - token introspection result is not available.");
                return Uni.createFrom().failure(new AuthenticationFailedException());
            }
            str = (!tenantConfigContext.oidcConfig.token.principalClaim.isPresent() || userInfo == null) ? "" : userInfo.getString(tenantConfigContext.oidcConfig.token.principalClaim.get());
        }
        final String str2 = str;
        builder.setPrincipal(new Principal() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.6
            @Override // java.security.Principal
            public String getName() {
                return str2 != null ? str2 : "";
            }
        });
        if (userInfo != null) {
            JsonObject jsonObject2 = new JsonObject(userInfo.getJsonObject().toString());
            OidcUtils.setSecurityIdentityRoles(builder, tenantConfigContext.oidcConfig, jsonObject2);
            OidcUtils.setSecurityIdentityPermissions(builder, tenantConfigContext.oidcConfig, jsonObject2);
        }
        OidcUtils.setTenantIdAttribute(builder, tenantConfigContext.oidcConfig);
        RoutingContext routingContextAttribute = HttpSecurityUtils.getRoutingContextAttribute(tokenAuthenticationRequest);
        OidcUtils.setBlockingApiAttribute(builder, routingContextAttribute);
        OidcUtils.setRoutingContextAttribute(builder, routingContextAttribute);
        QuarkusSecurityIdentity build = builder.build();
        return (isIdToken(tokenAuthenticationRequest) && tokenAutoRefreshPrepared(tokenVerificationResult, map, tenantConfigContext.oidcConfig)) ? Uni.createFrom().failure(new TokenAutoRefreshException(build)) : Uni.createFrom().item(build);
    }

    private static boolean isInternalIdToken(TokenAuthenticationRequest tokenAuthenticationRequest) {
        return isIdToken(tokenAuthenticationRequest) && ((IdTokenCredential) tokenAuthenticationRequest.getToken()).isInternal();
    }

    private static boolean isIdToken(TokenAuthenticationRequest tokenAuthenticationRequest) {
        return tokenAuthenticationRequest.getToken() instanceof IdTokenCredential;
    }

    private static boolean tokenAutoRefreshPrepared(TokenVerificationResult tokenVerificationResult, Map<String, Object> map, OidcTenantConfig oidcTenantConfig) {
        if (tokenVerificationResult == null || !oidcTenantConfig.token.refreshExpired || !oidcTenantConfig.token.getRefreshTokenTimeSkew().isPresent() || map.get(REFRESH_TOKEN_GRANT_RESPONSE) == Boolean.TRUE || map.get(NEW_AUTHENTICATION) == Boolean.TRUE) {
            return false;
        }
        Long l = null;
        if (tokenVerificationResult.localVerificationResult != null) {
            l = tokenVerificationResult.localVerificationResult.getLong(Claims.exp.name());
        } else if (tokenVerificationResult.introspectionResult != null) {
            l = tokenVerificationResult.introspectionResult.getLong("exp");
        }
        if (l != null) {
            return (System.currentTimeMillis() / 1000) + oidcTenantConfig.token.getRefreshTokenTimeSkew().get().getSeconds() > l.longValue();
        }
        return false;
    }

    private static JsonObject getRolesJson(Map<String, Object> map, TenantConfigContext tenantConfigContext, TokenCredential tokenCredential, JsonObject jsonObject, UserInfo userInfo) {
        JsonObject jsonObject2 = jsonObject;
        if (tenantConfigContext.oidcConfig.roles.source.isPresent()) {
            if (tenantConfigContext.oidcConfig.roles.source.get() == OidcTenantConfig.Roles.Source.userinfo) {
                jsonObject2 = new JsonObject(userInfo.getJsonObject().toString());
            } else if ((tokenCredential instanceof IdTokenCredential) && tenantConfigContext.oidcConfig.roles.source.get() == OidcTenantConfig.Roles.Source.accesstoken) {
                jsonObject2 = ((TokenVerificationResult) map.get(CODE_ACCESS_TOKEN_RESULT)).localVerificationResult;
                if (jsonObject2 == null) {
                    jsonObject2 = OidcUtils.decodeJwtContent((String) map.get("access_token"));
                }
            }
        }
        return jsonObject2;
    }

    private Uni<TokenVerificationResult> verifyCodeFlowAccessTokenUni(Map<String, Object> map, TokenAuthenticationRequest tokenAuthenticationRequest, TenantConfigContext tenantConfigContext, UserInfo userInfo) {
        return ((tokenAuthenticationRequest.getToken() instanceof IdTokenCredential) && (tenantConfigContext.oidcConfig.authentication.verifyAccessToken || tenantConfigContext.oidcConfig.roles.source.orElse(null) == OidcTenantConfig.Roles.Source.accesstoken)) ? verifyTokenUni(map, tenantConfigContext, new AccessTokenCredential((String) map.get("access_token")), false, userInfo) : NULL_CODE_ACCESS_TOKEN_UNI;
    }

    private Uni<TokenVerificationResult> verifyTokenUni(Map<String, Object> map, TenantConfigContext tenantConfigContext, TokenCredential tokenCredential, boolean z, UserInfo userInfo) {
        String token = tokenCredential.getToken();
        if (OidcUtils.isOpaqueToken(token)) {
            if (!tenantConfigContext.oidcConfig.token.allowOpaqueTokenIntrospection) {
                LOG.debug("Token is opaque but the opaque token introspection is not allowed");
                throw new AuthenticationFailedException();
            }
            if (tenantConfigContext.oidcConfig.token.verifyAccessTokenWithUserInfo.orElse(false).booleanValue() && tenantConfigContext.provider.getMetadata().getIntrospectionUri() == null) {
                return userInfo == null ? Uni.createFrom().failure(new AuthenticationFailedException("Opaque access token verification failed as user info is null.")) : Uni.createFrom().item(new TokenVerificationResult(null, null));
            }
            LOG.debug("Starting the opaque token introspection");
            return introspectTokenUni(tenantConfigContext, token, false);
        }
        if (tenantConfigContext.provider.getMetadata().getJsonWebKeySetUri() == null || tenantConfigContext.oidcConfig.token.requireJwtIntrospectionOnly) {
            LOG.debug("Starting the JWT token introspection");
            return introspectTokenUni(tenantConfigContext, token, false);
        }
        if (!tenantConfigContext.oidcConfig.jwks.resolveEarly) {
            return resolveJwksAndVerifyTokenUni(tenantConfigContext, tokenCredential, z, tenantConfigContext.oidcConfig.token.isSubjectRequired(), (String) map.get("nonce"));
        }
        String str = (String) map.get("nonce");
        try {
            LOG.debug("Verifying the JWT token with the local JWK keys");
            return Uni.createFrom().item(tenantConfigContext.provider.verifyJwtToken(token, z, tenantConfigContext.oidcConfig.token.isSubjectRequired(), str));
        } catch (Throwable th) {
            if (th.getCause() instanceof UnresolvableKeyException) {
                LOG.debug("No matching JWK key is found, refreshing and repeating the verification");
                return refreshJwksAndVerifyTokenUni(tenantConfigContext, token, z, tenantConfigContext.oidcConfig.token.isSubjectRequired(), str);
            }
            LOG.debugf("Token verification has failed: %s", th.getMessage());
            return Uni.createFrom().failure(th);
        }
    }

    private Uni<TokenVerificationResult> verifySelfSignedTokenUni(TenantConfigContext tenantConfigContext, String str) {
        try {
            return Uni.createFrom().item(tenantConfigContext.provider.verifySelfSignedJwtToken(str));
        } catch (Throwable th) {
            return Uni.createFrom().failure(th);
        }
    }

    private Uni<TokenVerificationResult> refreshJwksAndVerifyTokenUni(TenantConfigContext tenantConfigContext, String str, boolean z, boolean z2, String str2) {
        return tenantConfigContext.provider.refreshJwksAndVerifyJwtToken(str, z, z2, str2).onFailure(th -> {
            return fallbackToIntrospectionIfNoMatchingKey(th, tenantConfigContext);
        }).recoverWithUni(th2 -> {
            return introspectTokenUni(tenantConfigContext, str, true);
        });
    }

    private Uni<TokenVerificationResult> resolveJwksAndVerifyTokenUni(TenantConfigContext tenantConfigContext, TokenCredential tokenCredential, boolean z, boolean z2, String str) {
        return tenantConfigContext.provider.getKeyResolverAndVerifyJwtToken(tokenCredential, z, z2, str).onFailure(th -> {
            return fallbackToIntrospectionIfNoMatchingKey(th, tenantConfigContext);
        }).recoverWithUni(th2 -> {
            return introspectTokenUni(tenantConfigContext, tokenCredential.getToken(), true);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean fallbackToIntrospectionIfNoMatchingKey(Throwable th, TenantConfigContext tenantConfigContext) {
        if (!(th.getCause() instanceof UnresolvableKeyException)) {
            LOG.debug("Local JWT token verification has failed, skipping the token introspection");
            return false;
        }
        if (tenantConfigContext.oidcConfig.token.allowJwtIntrospection) {
            LOG.debug("Local JWT token verification has failed, attempting the token introspection");
            return true;
        }
        LOG.debug("JWT token does not have a matching verification key but JWT token introspection is disabled");
        return false;
    }

    private Uni<TokenVerificationResult> introspectTokenUni(final TenantConfigContext tenantConfigContext, final String str, final boolean z) {
        TokenIntrospectionCache tokenIntrospectionCache = this.tenantResolver.getTokenIntrospectionCache();
        Uni<TokenIntrospection> introspection = tokenIntrospectionCache == null ? null : tokenIntrospectionCache.getIntrospection(str, tenantConfigContext.oidcConfig, this.getIntrospectionRequestContext);
        return (introspection == null ? newTokenIntrospectionUni(tenantConfigContext, str, z) : introspection.onItem().ifNull().switchTo(new Supplier<Uni<? extends TokenIntrospection>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.7
            @Override // java.util.function.Supplier
            /* renamed from: get, reason: merged with bridge method [inline-methods] */
            public Uni<? extends TokenIntrospection> get2() {
                return OidcIdentityProvider.this.newTokenIntrospectionUni(tenantConfigContext, str, z);
            }
        })).onItem().transform(tokenIntrospection -> {
            return new TokenVerificationResult(null, tokenIntrospection);
        });
    }

    private Uni<TokenIntrospection> newTokenIntrospectionUni(final TenantConfigContext tenantConfigContext, final String str, boolean z) {
        Uni<TokenIntrospection> introspectToken = tenantConfigContext.provider.introspectToken(str, z);
        return (this.tenantResolver.getTokenIntrospectionCache() == null || !tenantConfigContext.oidcConfig.allowTokenIntrospectionCache) ? introspectToken : introspectToken.call(new Function<TokenIntrospection, Uni<?>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.8
            @Override // java.util.function.Function
            public Uni<?> apply(TokenIntrospection tokenIntrospection) {
                return OidcIdentityProvider.this.tenantResolver.getTokenIntrospectionCache().addIntrospection(str, tokenIntrospection, tenantConfigContext.oidcConfig, OidcIdentityProvider.this.uniVoidOidcContext);
            }
        });
    }

    private static Uni<SecurityIdentity> validateTokenWithoutOidcServer(TokenAuthenticationRequest tokenAuthenticationRequest, TenantConfigContext tenantConfigContext) {
        try {
            TokenVerificationResult verifyJwtToken = tenantConfigContext.provider.verifyJwtToken(tokenAuthenticationRequest.getToken().getToken(), tenantConfigContext.oidcConfig.token.subjectRequired, false, null);
            return Uni.createFrom().item(OidcUtils.validateAndCreateIdentity(Map.of(), tokenAuthenticationRequest.getToken(), tenantConfigContext, verifyJwtToken.localVerificationResult, verifyJwtToken.localVerificationResult, null, null, tokenAuthenticationRequest));
        } catch (Throwable th) {
            return Uni.createFrom().failure(new AuthenticationFailedException(th));
        }
    }

    private Uni<UserInfo> getUserInfoUni(Map<String, Object> map, TokenAuthenticationRequest tokenAuthenticationRequest, final TenantConfigContext tenantConfigContext) {
        JsonObject jsonObject;
        if (isInternalIdToken(tokenAuthenticationRequest) && tenantConfigContext.oidcConfig.cacheUserInfoInIdtoken && (jsonObject = OidcUtils.decodeJwtContent(tokenAuthenticationRequest.getToken().getToken()).getJsonObject(OidcUtils.USER_INFO_ATTRIBUTE)) != null) {
            return Uni.createFrom().item(new UserInfo(jsonObject.encode()));
        }
        LOG.debug("Requesting UserInfo");
        String str = (String) map.get("access_token");
        final String token = str != null ? str : tokenAuthenticationRequest.getToken().getToken();
        UserInfoCache userInfoCache = this.tenantResolver.getUserInfoCache();
        Uni<UserInfo> userInfo = userInfoCache == null ? null : userInfoCache.getUserInfo(token, tenantConfigContext.oidcConfig, this.getUserInfoRequestContext);
        return userInfo == null ? newUserInfoUni(tenantConfigContext, token) : userInfo.onItem().ifNull().switchTo(new Supplier<Uni<? extends UserInfo>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.9
            @Override // java.util.function.Supplier
            /* renamed from: get, reason: merged with bridge method [inline-methods] */
            public Uni<? extends UserInfo> get2() {
                return OidcIdentityProvider.this.newUserInfoUni(tenantConfigContext, token);
            }
        });
    }

    private Uni<UserInfo> newUserInfoUni(final TenantConfigContext tenantConfigContext, final String str) {
        Uni<UserInfo> userInfo = tenantConfigContext.provider.getUserInfo(str);
        return (this.tenantResolver.getUserInfoCache() == null || !tenantConfigContext.oidcConfig.allowUserInfoCache || tenantConfigContext.oidcConfig.cacheUserInfoInIdtoken) ? userInfo : userInfo.call(new Function<UserInfo, Uni<?>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.10
            @Override // java.util.function.Function
            public Uni<?> apply(UserInfo userInfo2) {
                return OidcIdentityProvider.this.tenantResolver.getUserInfoCache().addUserInfo(str, userInfo2, tenantConfigContext.oidcConfig, OidcIdentityProvider.this.uniVoidOidcContext);
            }
        });
    }
}
