package org.keycloak.authentication.authenticators.client;

import java.security.PublicKey;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.ClientAuthenticationFlowContext;
import org.keycloak.common.util.Time;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ModelException;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.Urls;
import org.keycloak.services.util.CertificateInfoHelper;

/* loaded from: input_file:org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.class */
public class JWTClientAuthenticator extends AbstractClientAuthenticator {
    public static final String PROVIDER_ID = "client-jwt";
    public static final String ATTR_PREFIX = "jwt.credential";
    public static final String CERTIFICATE_ATTR = "jwt.credential.certificate";
    protected static ServicesLogger logger = ServicesLogger.ROOT_LOGGER;
    public static final AuthenticationExecutionModel.Requirement[] REQUIREMENT_CHOICES = {AuthenticationExecutionModel.Requirement.ALTERNATIVE, AuthenticationExecutionModel.Requirement.DISABLED};

    public void authenticateClient(ClientAuthenticationFlowContext clientAuthenticationFlowContext) {
        MultivaluedMap decodedFormParameters = clientAuthenticationFlowContext.getHttpRequest().getDecodedFormParameters();
        String str = (String) decodedFormParameters.getFirst("client_assertion_type");
        String str2 = (String) decodedFormParameters.getFirst("client_assertion");
        if (str == null) {
            clientAuthenticationFlowContext.challenge(ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Parameter client_assertion_type is missing"));
            return;
        }
        if (!str.equals("urn:ietf:params:oauth:client-assertion-type:jwt-bearer")) {
            clientAuthenticationFlowContext.challenge(ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Parameter client_assertion_type has value '" + str + "' but expected is 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'"));
            return;
        }
        if (str2 == null) {
            clientAuthenticationFlowContext.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "client_assertion parameter missing"));
            return;
        }
        try {
            JWSInput jWSInput = new JWSInput(str2);
            JsonWebToken jsonWebToken = (JsonWebToken) jWSInput.readJsonContent(JsonWebToken.class);
            RealmModel realm = clientAuthenticationFlowContext.getRealm();
            String subject = jsonWebToken.getSubject();
            if (subject == null) {
                throw new RuntimeException("Can't identify client. Issuer missing on JWT token");
            }
            clientAuthenticationFlowContext.getEvent().client(subject);
            ClientModel clientByClientId = realm.getClientByClientId(subject);
            if (clientByClientId == null) {
                clientAuthenticationFlowContext.failure(AuthenticationFlowError.CLIENT_NOT_FOUND, (Response) null);
                return;
            }
            clientAuthenticationFlowContext.setClient(clientByClientId);
            if (!clientByClientId.isEnabled()) {
                clientAuthenticationFlowContext.failure(AuthenticationFlowError.CLIENT_DISABLED, (Response) null);
                return;
            }
            PublicKey signatureValidationKey = getSignatureValidationKey(clientByClientId, clientAuthenticationFlowContext);
            if (signatureValidationKey == null) {
                return;
            }
            try {
                if (!RSAProvider.verify(jWSInput, signatureValidationKey)) {
                    throw new RuntimeException("Signature on JWT token failed validation");
                }
                String realmIssuer = Urls.realmIssuer(clientAuthenticationFlowContext.getUriInfo().getBaseUri(), realm.getName());
                String uri = OIDCLoginProtocolService.tokenUrl(clientAuthenticationFlowContext.getUriInfo().getBaseUriBuilder()).build(new Object[]{realm.getName()}).toString();
                if (!jsonWebToken.hasAudience(realmIssuer) && !jsonWebToken.hasAudience(uri)) {
                    throw new RuntimeException("Token audience doesn't match domain. Realm issuer is '" + realmIssuer + "' but audience from token is '" + Arrays.asList(jsonWebToken.getAudience()).toString() + "'");
                }
                if (!jsonWebToken.isActive()) {
                    throw new RuntimeException("Token is not active");
                }
                if (jsonWebToken.getExpiration() == 0 && jsonWebToken.getIssuedAt() + 10 < Time.currentTime()) {
                    throw new RuntimeException("Token is not active");
                }
                clientAuthenticationFlowContext.success();
            } catch (RuntimeException e) {
                throw new RuntimeException("Signature on JWT token failed validation", e.getCause() != null ? e.getCause() : e);
            }
        } catch (Exception e2) {
            logger.errorValidatingAssertion(e2);
            clientAuthenticationFlowContext.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Client authentication with signed JWT failed: " + e2.getMessage()));
        }
    }

    protected PublicKey getSignatureValidationKey(ClientModel clientModel, ClientAuthenticationFlowContext clientAuthenticationFlowContext) {
        try {
            return CertificateInfoHelper.getSignatureValidationKey(clientModel, ATTR_PREFIX);
        } catch (ModelException e) {
            clientAuthenticationFlowContext.failure(AuthenticationFlowError.CLIENT_CREDENTIALS_SETUP_REQUIRED, ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", e.getMessage()));
            return null;
        }
    }

    public String getDisplayType() {
        return "Signed Jwt";
    }

    public boolean isConfigurable() {
        return false;
    }

    public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
        return REQUIREMENT_CHOICES;
    }

    public String getHelpText() {
        return "Validates client based on signed JWT issued by client and signed with the Client private key";
    }

    public List<ProviderConfigProperty> getConfigProperties() {
        return new LinkedList();
    }

    public List<ProviderConfigProperty> getConfigPropertiesPerClient() {
        return Collections.emptyList();
    }

    public Map<String, Object> getAdapterConfiguration(ClientModel clientModel) {
        HashMap hashMap = new HashMap();
        hashMap.put("client-keystore-file", "REPLACE WITH THE LOCATION OF YOUR KEYSTORE FILE");
        hashMap.put("client-keystore-type", "jks");
        hashMap.put("client-keystore-password", "REPLACE WITH THE KEYSTORE PASSWORD");
        hashMap.put("client-key-password", "REPLACE WITH THE KEY PASSWORD IN KEYSTORE");
        hashMap.put("client-key-alias", clientModel.getClientId());
        hashMap.put("token-timeout", 10);
        HashMap hashMap2 = new HashMap();
        hashMap2.put("jwt", hashMap);
        return hashMap2;
    }

    public String getId() {
        return PROVIDER_ID;
    }

    public Set<String> getProtocolAuthenticatorMethods(String str) {
        if (!str.equals("openid-connect")) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        hashSet.add(OIDCLoginProtocol.PRIVATE_KEY_JWT);
        return hashSet;
    }
}
