package org.keycloak.protocol.oidc;

import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.OAuthErrorException;
import org.keycloak.TokenCategory;
import org.keycloak.TokenVerifier;
import org.keycloak.cluster.ClusterProvider;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.Time;
import org.keycloak.crypto.HashProvider;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.jose.jws.crypto.HashUtils;
import org.keycloak.migration.migrators.MigrationUtils;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserConsentModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.UserSessionProvider;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.RoleUtils;
import org.keycloak.protocol.ProtocolMapper;
import org.keycloak.protocol.ProtocolMapperUtils;
import org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper;
import org.keycloak.protocol.oidc.mappers.OIDCIDTokenMapper;
import org.keycloak.protocol.oidc.mappers.UserInfoTokenMapper;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.managers.UserSessionCrossDCManager;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.services.util.DefaultClientSessionContext;
import org.keycloak.services.util.MtlsHoKTokenUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/protocol/oidc/TokenManager.class */
public class TokenManager {
    private static final Logger logger = Logger.getLogger(TokenManager.class);
    private static final String JWT = "JWT";

    /* loaded from: input_file:org/keycloak/protocol/oidc/TokenManager$AccessTokenResponseBuilder.class */
    public class AccessTokenResponseBuilder {
        RealmModel realm;
        ClientModel client;
        EventBuilder event;
        KeycloakSession session;
        UserSessionModel userSession;
        ClientSessionContext clientSessionCtx;
        AccessToken accessToken;
        RefreshToken refreshToken;
        IDToken idToken;
        boolean generateAccessTokenHash = false;
        String codeHash;
        String stateHash;

        public AccessTokenResponseBuilder(RealmModel realmModel, ClientModel clientModel, EventBuilder eventBuilder, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
            this.realm = realmModel;
            this.client = clientModel;
            this.event = eventBuilder;
            this.session = keycloakSession;
            this.userSession = userSessionModel;
            this.clientSessionCtx = clientSessionContext;
        }

        public AccessToken getAccessToken() {
            return this.accessToken;
        }

        public RefreshToken getRefreshToken() {
            return this.refreshToken;
        }

        public IDToken getIdToken() {
            return this.idToken;
        }

        public AccessTokenResponseBuilder accessToken(AccessToken accessToken) {
            this.accessToken = accessToken;
            return this;
        }

        public AccessTokenResponseBuilder refreshToken(RefreshToken refreshToken) {
            this.refreshToken = refreshToken;
            return this;
        }

        public AccessTokenResponseBuilder generateAccessToken() {
            this.accessToken = TokenManager.this.createClientAccessToken(this.session, this.realm, this.client, this.userSession.getUser(), this.userSession, this.clientSessionCtx);
            return this;
        }

        public AccessTokenResponseBuilder generateRefreshToken() {
            if (this.accessToken == null) {
                throw new IllegalStateException("accessToken not set");
            }
            ClientScopeModel clientScopeByName = KeycloakModelUtils.getClientScopeByName(this.realm, "offline_access");
            if (clientScopeByName == null ? false : this.clientSessionCtx.getClientScopeIds().contains(clientScopeByName.getId())) {
                UserSessionManager userSessionManager = new UserSessionManager(this.session);
                if (!userSessionManager.isOfflineTokenAllowed(this.clientSessionCtx)) {
                    this.event.error("not_allowed");
                    throw new ErrorResponseException("not_allowed", "Offline tokens not allowed for the user or client", Response.Status.BAD_REQUEST);
                }
                this.refreshToken = new RefreshToken(this.accessToken);
                this.refreshToken.type("Offline");
                userSessionManager.createOrUpdateOfflineSession(this.clientSessionCtx.getClientSession(), this.userSession);
            } else {
                this.refreshToken = new RefreshToken(this.accessToken);
                this.refreshToken.expiration(getRefreshExpiration());
            }
            this.refreshToken.id(KeycloakModelUtils.generateId());
            this.refreshToken.issuedNow();
            return this;
        }

        private int getRefreshExpiration() {
            int started = this.userSession.getStarted() + ((!this.userSession.isRememberMe() || this.realm.getSsoSessionMaxLifespanRememberMe() <= 0) ? this.realm.getSsoSessionMaxLifespan() : this.realm.getSsoSessionMaxLifespanRememberMe());
            int currentTime = Time.currentTime() + ((!this.userSession.isRememberMe() || this.realm.getSsoSessionIdleTimeoutRememberMe() <= 0) ? this.realm.getSsoSessionIdleTimeout() : this.realm.getSsoSessionIdleTimeoutRememberMe());
            return currentTime <= started ? currentTime : started;
        }

        public AccessTokenResponseBuilder generateIDToken() {
            if (this.accessToken == null) {
                throw new IllegalStateException("accessToken not set");
            }
            this.idToken = new IDToken();
            this.idToken.id(KeycloakModelUtils.generateId());
            this.idToken.type("ID");
            this.idToken.subject(this.accessToken.getSubject());
            this.idToken.audience(new String[]{this.client.getClientId()});
            this.idToken.issuedNow();
            this.idToken.issuedFor(this.accessToken.getIssuedFor());
            this.idToken.issuer(this.accessToken.getIssuer());
            this.idToken.setNonce(this.accessToken.getNonce());
            this.idToken.setAuthTime(this.accessToken.getAuthTime());
            this.idToken.setSessionState(this.accessToken.getSessionState());
            this.idToken.expiration(this.accessToken.getExpiration());
            this.idToken.setAcr(this.accessToken.getAcr());
            TokenManager.this.transformIDToken(this.session, this.idToken, this.userSession, this.clientSessionCtx);
            return this;
        }

        public AccessTokenResponseBuilder generateAccessTokenHash() {
            this.generateAccessTokenHash = true;
            return this;
        }

        public AccessTokenResponseBuilder generateCodeHash(String str) {
            this.codeHash = generateOIDCHash(str);
            return this;
        }

        public AccessTokenResponseBuilder generateStateHash(String str) {
            this.stateHash = generateOIDCHash(str);
            return this;
        }

        public AccessTokenResponse build() {
            if (this.accessToken != null) {
                this.event.detail("token_id", this.accessToken.getId());
            }
            if (this.refreshToken != null) {
                if (this.event.getEvent().getDetails().containsKey("refresh_token_id")) {
                    this.event.detail("updated_refresh_token_id", this.refreshToken.getId());
                } else {
                    this.event.detail("refresh_token_id", this.refreshToken.getId());
                }
                this.event.detail("refresh_token_type", this.refreshToken.getType());
            }
            AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
            if (this.accessToken != null) {
                accessTokenResponse.setToken(this.session.tokens().encode(this.accessToken));
                accessTokenResponse.setTokenType("bearer");
                accessTokenResponse.setSessionState(this.accessToken.getSessionState());
                if (this.accessToken.getExpiration() != 0) {
                    accessTokenResponse.setExpiresIn(this.accessToken.getExpiration() - Time.currentTime());
                }
            }
            if (this.generateAccessTokenHash) {
                this.idToken.setAccessTokenHash(generateOIDCHash(accessTokenResponse.getToken()));
            }
            if (this.codeHash != null) {
                this.idToken.setCodeHash(this.codeHash);
            }
            if (this.stateHash != null) {
                this.idToken.setStateHash(this.stateHash);
            }
            if (this.idToken != null) {
                accessTokenResponse.setIdToken(this.session.tokens().encodeAndEncrypt(this.idToken));
            }
            if (this.refreshToken != null) {
                accessTokenResponse.setRefreshToken(this.session.tokens().encode(this.refreshToken));
                if (this.refreshToken.getExpiration() != 0) {
                    accessTokenResponse.setRefreshExpiresIn(this.refreshToken.getExpiration() - Time.currentTime());
                }
            }
            int notBefore = this.realm.getNotBefore();
            if (this.client.getNotBefore() > notBefore) {
                notBefore = this.client.getNotBefore();
            }
            int notBeforeOfUser = this.session.users().getNotBeforeOfUser(this.realm, this.userSession.getUser());
            if (notBeforeOfUser > notBefore) {
                notBefore = notBeforeOfUser;
            }
            accessTokenResponse.setNotBeforePolicy(notBefore);
            String scopeString = this.clientSessionCtx.getScopeString();
            accessTokenResponse.setScope(scopeString);
            this.event.detail("scope", scopeString);
            return accessTokenResponse;
        }

        private String generateOIDCHash(String str) {
            return HashUtils.encodeHashToOIDC(this.session.getProvider(HashProvider.class, this.session.getProvider(SignatureProvider.class, this.session.tokens().signatureAlgorithm(TokenCategory.ID)).signer().getHashAlgorithm()).hash(str));
        }
    }

    /* loaded from: input_file:org/keycloak/protocol/oidc/TokenManager$NotBeforeCheck.class */
    public static class NotBeforeCheck implements TokenVerifier.Predicate<JsonWebToken> {
        private final int notBefore;

        public NotBeforeCheck(int i) {
            this.notBefore = i;
        }

        public boolean test(JsonWebToken jsonWebToken) throws VerificationException {
            if (jsonWebToken.getIssuedAt() < this.notBefore) {
                throw new VerificationException("Stale token");
            }
            return true;
        }

        public static NotBeforeCheck forModel(ClientModel clientModel) {
            if (clientModel == null) {
                return new NotBeforeCheck(0);
            }
            int notBefore = clientModel.getNotBefore();
            int notBefore2 = clientModel.getRealm().getNotBefore();
            return new NotBeforeCheck(notBefore == 0 ? notBefore2 : notBefore2 == 0 ? notBefore : Math.min(notBefore, notBefore2));
        }

        public static NotBeforeCheck forModel(RealmModel realmModel) {
            return new NotBeforeCheck(realmModel == null ? 0 : realmModel.getNotBefore());
        }

        public static NotBeforeCheck forModel(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
            return new NotBeforeCheck(keycloakSession.users().getNotBeforeOfUser(realmModel, userModel));
        }
    }

    /* loaded from: input_file:org/keycloak/protocol/oidc/TokenManager$RefreshResult.class */
    public class RefreshResult {
        private final AccessTokenResponse response;
        private final boolean offlineToken;

        private RefreshResult(AccessTokenResponse accessTokenResponse, boolean z) {
            this.response = accessTokenResponse;
            this.offlineToken = z;
        }

        public AccessTokenResponse getResponse() {
            return this.response;
        }

        public boolean isOfflineToken() {
            return this.offlineToken;
        }
    }

    /* loaded from: input_file:org/keycloak/protocol/oidc/TokenManager$TokenValidation.class */
    public static class TokenValidation {
        public final UserModel user;
        public final UserSessionModel userSession;
        public final ClientSessionContext clientSessionCtx;
        public final AccessToken newToken;

        public TokenValidation(UserModel userModel, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext, AccessToken accessToken) {
            this.user = userModel;
            this.userSession = userSessionModel;
            this.clientSessionCtx = clientSessionContext;
            this.newToken = accessToken;
        }
    }

    public TokenValidation validateToken(KeycloakSession keycloakSession, UriInfo uriInfo, ClientConnection clientConnection, RealmModel realmModel, RefreshToken refreshToken, HttpHeaders httpHeaders) throws OAuthErrorException {
        UserSessionModel userSession;
        boolean equals = "Offline".equals(refreshToken.getType());
        if (equals) {
            UserSessionManager userSessionManager = new UserSessionManager(keycloakSession);
            userSession = userSessionManager.findOfflineUserSession(realmModel, refreshToken.getSessionState());
            if (userSession == null) {
                throw new OAuthErrorException("invalid_grant", "Offline user session not found", "Offline user session not found");
            }
            if (!AuthenticationManager.isOfflineSessionValid(realmModel, userSession)) {
                userSessionManager.revokeOfflineUserSession(userSession);
                throw new OAuthErrorException("invalid_grant", "Offline session not active", "Offline session not active");
            }
        } else {
            userSession = keycloakSession.sessions().getUserSession(realmModel, refreshToken.getSessionState());
            if (!AuthenticationManager.isSessionValid(realmModel, userSession)) {
                AuthenticationManager.backchannelLogout(keycloakSession, realmModel, userSession, uriInfo, clientConnection, httpHeaders, true);
                throw new OAuthErrorException("invalid_grant", "Session not active", "Session not active");
            }
        }
        UserModel user = userSession.getUser();
        if (user == null) {
            throw new OAuthErrorException("invalid_grant", "Invalid refresh token", "Unknown user");
        }
        if (!user.isEnabled()) {
            throw new OAuthErrorException("invalid_grant", "User disabled", "User disabled");
        }
        if (refreshToken.getIssuedAt() + 1 < userSession.getStarted()) {
            logger.debug("Refresh toked issued before the user session started");
            throw new OAuthErrorException("invalid_grant", "Refresh toked issued before the user session started");
        }
        ClientModel client = keycloakSession.getContext().getClient();
        AuthenticatedClientSessionModel authenticatedClientSessionByClient = userSession.getAuthenticatedClientSessionByClient(client.getId());
        if (authenticatedClientSessionByClient == null) {
            userSession = new UserSessionCrossDCManager(keycloakSession).getUserSessionWithClient(realmModel, userSession.getId(), equals, client.getId());
            if (userSession == null) {
                throw new OAuthErrorException("invalid_grant", "Session doesn't have required client", "Session doesn't have required client");
            }
            authenticatedClientSessionByClient = userSession.getAuthenticatedClientSessionByClient(client.getId());
        }
        if (!client.getClientId().equals(refreshToken.getIssuedFor())) {
            throw new OAuthErrorException("invalid_grant", "Unmatching clients", "Unmatching clients");
        }
        try {
            TokenVerifier.createWithoutSignature(refreshToken).withChecks(new TokenVerifier.Predicate[]{NotBeforeCheck.forModel(client), NotBeforeCheck.forModel(keycloakSession, realmModel, user)}).verify();
            String scope = refreshToken.getScope();
            if (scope == null && userSession.isOffline()) {
                logger.debugf("Migrating offline token of user '%s' for client '%s' of realm '%s'", user.getUsername(), client.getClientId(), realmModel.getName());
                MigrationUtils.migrateOldOfflineToken(keycloakSession, realmModel, client, user);
            }
            DefaultClientSessionContext fromClientSessionAndScopeParameter = DefaultClientSessionContext.fromClientSessionAndScopeParameter(authenticatedClientSessionByClient, scope, keycloakSession);
            if (!verifyConsentStillAvailable(keycloakSession, user, client, fromClientSessionAndScopeParameter.getClientScopes())) {
                throw new OAuthErrorException("invalid_scope", "Client no longer has requested consent from user");
            }
            fromClientSessionAndScopeParameter.setAttribute("nonce", refreshToken.getNonce());
            return new TokenValidation(user, userSession, fromClientSessionAndScopeParameter, createClientAccessToken(keycloakSession, realmModel, client, user, userSession, fromClientSessionAndScopeParameter));
        } catch (VerificationException e) {
            throw new OAuthErrorException("invalid_grant", "Stale token");
        }
    }

    public boolean checkTokenValidForIntrospection(KeycloakSession keycloakSession, RealmModel realmModel, AccessToken accessToken) throws OAuthErrorException {
        ClientModel clientByClientId = realmModel.getClientByClientId(accessToken.getIssuedFor());
        if (clientByClientId == null || !clientByClientId.isEnabled()) {
            return false;
        }
        try {
            TokenVerifier.createWithoutSignature(accessToken).withChecks(new TokenVerifier.Predicate[]{NotBeforeCheck.forModel(clientByClientId), TokenVerifier.IS_ACTIVE}).verify();
            boolean z = false;
            UserSessionModel userSessionWithClient = new UserSessionCrossDCManager(keycloakSession).getUserSessionWithClient(realmModel, accessToken.getSessionState(), false, clientByClientId.getId());
            if (AuthenticationManager.isSessionValid(realmModel, userSessionWithClient)) {
                z = isUserValid(keycloakSession, realmModel, accessToken, userSessionWithClient);
            } else {
                userSessionWithClient = new UserSessionCrossDCManager(keycloakSession).getUserSessionWithClient(realmModel, accessToken.getSessionState(), true, clientByClientId.getId());
                if (AuthenticationManager.isOfflineSessionValid(realmModel, userSessionWithClient)) {
                    z = isUserValid(keycloakSession, realmModel, accessToken, userSessionWithClient);
                }
            }
            if (z) {
                userSessionWithClient.setLastSessionRefresh(Time.currentTime());
            }
            return z;
        } catch (VerificationException e) {
            return false;
        }
    }

    private boolean isUserValid(KeycloakSession keycloakSession, RealmModel realmModel, AccessToken accessToken, UserSessionModel userSessionModel) {
        UserModel user = userSessionModel.getUser();
        if (user == null || !user.isEnabled()) {
            return false;
        }
        try {
            TokenVerifier.createWithoutSignature(accessToken).withChecks(new TokenVerifier.Predicate[]{NotBeforeCheck.forModel(keycloakSession, realmModel, user)}).verify();
            return accessToken.getIssuedAt() + 1 >= userSessionModel.getStarted();
        } catch (VerificationException e) {
            return false;
        }
    }

    public RefreshResult refreshAccessToken(KeycloakSession keycloakSession, UriInfo uriInfo, ClientConnection clientConnection, RealmModel realmModel, ClientModel clientModel, String str, EventBuilder eventBuilder, HttpHeaders httpHeaders, HttpRequest httpRequest) throws OAuthErrorException {
        RefreshToken verifyRefreshToken = verifyRefreshToken(keycloakSession, realmModel, clientModel, httpRequest, str, true);
        eventBuilder.user(verifyRefreshToken.getSubject()).session(verifyRefreshToken.getSessionState()).detail("refresh_token_id", verifyRefreshToken.getId()).detail("refresh_token_type", verifyRefreshToken.getType());
        TokenValidation validateToken = validateToken(keycloakSession, uriInfo, clientConnection, realmModel, verifyRefreshToken, httpHeaders);
        AuthenticatedClientSessionModel clientSession = validateToken.clientSessionCtx.getClientSession();
        if (!clientSession.getClient().getId().equals(clientModel.getId())) {
            throw new OAuthErrorException("invalid_grant", "Invalid refresh token. Token client and authorized client don't match");
        }
        validateTokenReuse(keycloakSession, realmModel, verifyRefreshToken, validateToken);
        int currentTime = Time.currentTime();
        clientSession.setTimestamp(currentTime);
        validateToken.userSession.setLastSessionRefresh(currentTime);
        if (verifyRefreshToken.getAuthorization() != null) {
            validateToken.newToken.setAuthorization(verifyRefreshToken.getAuthorization());
        }
        AccessTokenResponseBuilder generateRefreshToken = responseBuilder(realmModel, clientModel, eventBuilder, keycloakSession, validateToken.userSession, validateToken.clientSessionCtx).accessToken(validateToken.newToken).generateRefreshToken();
        if (validateToken.newToken.getAuthorization() != null) {
            generateRefreshToken.getRefreshToken().setAuthorization(validateToken.newToken.getAuthorization());
        }
        AccessToken.CertConf certConf = verifyRefreshToken.getCertConf();
        if (certConf != null) {
            generateRefreshToken.getAccessToken().setCertConf(certConf);
            generateRefreshToken.getRefreshToken().setCertConf(certConf);
        }
        if (TokenUtil.isOIDCRequest(clientSession.getNote("scope"))) {
            generateRefreshToken.generateIDToken();
        }
        return new RefreshResult(generateRefreshToken.build(), "Offline".equals(verifyRefreshToken.getType()));
    }

    private void validateTokenReuse(KeycloakSession keycloakSession, RealmModel realmModel, RefreshToken refreshToken, TokenValidation tokenValidation) throws OAuthErrorException {
        if (realmModel.isRevokeRefreshToken()) {
            AuthenticatedClientSessionModel clientSession = tokenValidation.clientSessionCtx.getClientSession();
            int clusterStartupTime = keycloakSession.getProvider(ClusterProvider.class).getClusterStartupTime();
            if (clientSession.getCurrentRefreshToken() != null && !refreshToken.getId().equals(clientSession.getCurrentRefreshToken()) && refreshToken.getIssuedAt() < clientSession.getTimestamp() && clusterStartupTime <= clientSession.getTimestamp()) {
                throw new OAuthErrorException("invalid_grant", "Stale token");
            }
            if (!refreshToken.getId().equals(clientSession.getCurrentRefreshToken())) {
                clientSession.setCurrentRefreshToken(refreshToken.getId());
                clientSession.setCurrentRefreshTokenUseCount(0);
            }
            int currentRefreshTokenUseCount = clientSession.getCurrentRefreshTokenUseCount();
            if (currentRefreshTokenUseCount > realmModel.getRefreshTokenMaxReuse()) {
                throw new OAuthErrorException("invalid_grant", "Maximum allowed refresh token reuse exceeded", "Maximum allowed refresh token reuse exceeded");
            }
            clientSession.setCurrentRefreshTokenUseCount(currentRefreshTokenUseCount + 1);
        }
    }

    public RefreshToken verifyRefreshToken(KeycloakSession keycloakSession, RealmModel realmModel, ClientModel clientModel, HttpRequest httpRequest, String str, boolean z) throws OAuthErrorException {
        try {
            RefreshToken refreshToken = toRefreshToken(keycloakSession, str);
            if (!"Refresh".equals(refreshToken.getType()) && !"Offline".equals(refreshToken.getType())) {
                throw new OAuthErrorException("invalid_grant", "Invalid refresh token");
            }
            if (z) {
                try {
                    TokenVerifier.createWithoutSignature(refreshToken).withChecks(new TokenVerifier.Predicate[]{NotBeforeCheck.forModel(realmModel), TokenVerifier.IS_ACTIVE}).verify();
                } catch (VerificationException e) {
                    throw new OAuthErrorException("invalid_grant", e.getMessage());
                }
            }
            if (!clientModel.getClientId().equals(refreshToken.getIssuedFor())) {
                throw new OAuthErrorException("invalid_grant", "Invalid refresh token. Token client and authorized client don't match");
            }
            if (!OIDCAdvancedConfigWrapper.fromClientModel(clientModel).isUseMtlsHokToken() || MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(refreshToken, httpRequest, keycloakSession)) {
                return refreshToken;
            }
            throw new OAuthErrorException("unauthorized_client", MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC);
        } catch (JWSInputException e2) {
            throw new OAuthErrorException("invalid_grant", "Invalid refresh token", e2);
        }
    }

    public RefreshToken toRefreshToken(KeycloakSession keycloakSession, String str) throws JWSInputException, OAuthErrorException {
        RefreshToken decode = keycloakSession.tokens().decode(str, RefreshToken.class);
        if (decode == null) {
            throw new OAuthErrorException("invalid_grant", "Invalid refresh token");
        }
        return decode;
    }

    public IDToken verifyIDToken(KeycloakSession keycloakSession, RealmModel realmModel, String str) throws OAuthErrorException {
        IDToken decode = keycloakSession.tokens().decode(str, IDToken.class);
        try {
            TokenVerifier.createWithoutSignature(decode).withChecks(new TokenVerifier.Predicate[]{NotBeforeCheck.forModel(realmModel), TokenVerifier.IS_ACTIVE}).verify();
            return decode;
        } catch (VerificationException e) {
            throw new OAuthErrorException("invalid_grant", e.getMessage());
        }
    }

    public IDToken verifyIDTokenSignature(KeycloakSession keycloakSession, String str) throws OAuthErrorException {
        IDToken decode = keycloakSession.tokens().decode(str, IDToken.class);
        if (decode == null) {
            throw new OAuthErrorException("invalid_grant", "Invalid IDToken");
        }
        return decode;
    }

    public AccessToken createClientAccessToken(KeycloakSession keycloakSession, RealmModel realmModel, ClientModel clientModel, UserModel userModel, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        return transformAccessToken(keycloakSession, initToken(realmModel, clientModel, userModel, userSessionModel, clientSessionContext, keycloakSession.getContext().getUri()), userSessionModel, clientSessionContext);
    }

    public static ClientSessionContext attachAuthenticationSession(KeycloakSession keycloakSession, UserSessionModel userSessionModel, AuthenticationSessionModel authenticationSessionModel) {
        ClientModel client = authenticationSessionModel.getClient();
        AuthenticatedClientSessionModel authenticatedClientSessionByClient = userSessionModel.getAuthenticatedClientSessionByClient(client.getId());
        if (authenticatedClientSessionByClient == null) {
            authenticatedClientSessionByClient = keycloakSession.sessions().createClientSession(userSessionModel.getRealm(), client, userSessionModel);
        }
        authenticatedClientSessionByClient.setRedirectUri(authenticationSessionModel.getRedirectUri());
        authenticatedClientSessionByClient.setProtocol(authenticationSessionModel.getProtocol());
        Set clientScopes = authenticationSessionModel.getClientScopes();
        for (Map.Entry entry : authenticationSessionModel.getClientNotes().entrySet()) {
            authenticatedClientSessionByClient.setNote((String) entry.getKey(), (String) entry.getValue());
        }
        for (Map.Entry entry2 : authenticationSessionModel.getUserSessionNotes().entrySet()) {
            userSessionModel.setNote((String) entry2.getKey(), (String) entry2.getValue());
        }
        authenticatedClientSessionByClient.setTimestamp(Time.currentTime());
        new AuthenticationSessionManager(keycloakSession).removeAuthenticationSession(userSessionModel.getRealm(), authenticationSessionModel, true);
        return DefaultClientSessionContext.fromClientSessionAndClientScopeIds(authenticatedClientSessionByClient, clientScopes, keycloakSession);
    }

    public static void dettachClientSession(UserSessionProvider userSessionProvider, RealmModel realmModel, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        UserSessionModel userSession = authenticatedClientSessionModel.getUserSession();
        if (userSession == null) {
            return;
        }
        authenticatedClientSessionModel.detachFromUserSession();
        if (userSession.getAuthenticatedClientSessions().isEmpty()) {
            userSessionProvider.removeUserSession(realmModel, userSession);
        }
    }

    public static Set<RoleModel> getAccess(UserModel userModel, ClientModel clientModel, Set<ClientScopeModel> set) {
        Set<RoleModel> deepUserRoleMappings = RoleUtils.getDeepUserRoleMappings(userModel);
        if (clientModel.isFullScopeAllowed()) {
            if (logger.isTraceEnabled()) {
                logger.tracef("Using full scope for client %s", clientModel.getClientId());
            }
            return deepUserRoleMappings;
        }
        HashSet hashSet = new HashSet(clientModel.getRoles());
        for (ClientScopeModel clientScopeModel : set) {
            if (logger.isTraceEnabled()) {
                logger.tracef("Adding client scope role mappings of client scope '%s' to client '%s'", clientScopeModel.getName(), clientModel.getClientId());
            }
            hashSet.addAll(clientScopeModel.getScopeMappings());
        }
        deepUserRoleMappings.retainAll(RoleUtils.expandCompositeRoles(hashSet));
        return deepUserRoleMappings;
    }

    public static Set<ClientScopeModel> getRequestedClientScopes(String str, ClientModel clientModel) {
        HashSet hashSet = new HashSet(clientModel.getClientScopes(true, true).values());
        hashSet.add(clientModel);
        if (str == null) {
            return hashSet;
        }
        List asList = Arrays.asList(str.split(" "));
        Map clientScopes = clientModel.getClientScopes(false, true);
        Iterator it = asList.iterator();
        while (it.hasNext()) {
            ClientScopeModel clientScopeModel = (ClientScopeModel) clientScopes.get((String) it.next());
            if (clientScopeModel != null) {
                hashSet.add(clientScopeModel);
            }
        }
        return hashSet;
    }

    public static boolean verifyConsentStillAvailable(KeycloakSession keycloakSession, UserModel userModel, ClientModel clientModel, Set<ClientScopeModel> set) {
        if (!clientModel.isConsentRequired()) {
            return true;
        }
        UserConsentModel consentByClient = keycloakSession.users().getConsentByClient(clientModel.getRealm(), userModel.getId(), clientModel.getId());
        for (ClientScopeModel clientScopeModel : set) {
            if (clientScopeModel.isDisplayOnConsentScreen() && !consentByClient.getGrantedClientScopes().contains(clientScopeModel)) {
                logger.debugf("Client '%s' no longer has requested consent from user '%s' for client scope '%s'", clientModel.getClientId(), userModel.getUsername(), clientScopeModel.getName());
                return false;
            }
        }
        return true;
    }

    public AccessToken transformAccessToken(KeycloakSession keycloakSession, AccessToken accessToken, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        for (Map.Entry<ProtocolMapperModel, ProtocolMapper> entry : ProtocolMapperUtils.getSortedProtocolMappers(keycloakSession, clientSessionContext)) {
            ProtocolMapperModel key = entry.getKey();
            OIDCAccessTokenMapper oIDCAccessTokenMapper = (ProtocolMapper) entry.getValue();
            if (oIDCAccessTokenMapper instanceof OIDCAccessTokenMapper) {
                accessToken = oIDCAccessTokenMapper.transformAccessToken(accessToken, key, keycloakSession, userSessionModel, clientSessionContext);
            }
        }
        return accessToken;
    }

    public AccessToken transformUserInfoAccessToken(KeycloakSession keycloakSession, AccessToken accessToken, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        for (Map.Entry<ProtocolMapperModel, ProtocolMapper> entry : ProtocolMapperUtils.getSortedProtocolMappers(keycloakSession, clientSessionContext)) {
            ProtocolMapperModel key = entry.getKey();
            UserInfoTokenMapper userInfoTokenMapper = (ProtocolMapper) entry.getValue();
            if (userInfoTokenMapper instanceof UserInfoTokenMapper) {
                accessToken = userInfoTokenMapper.transformUserInfoToken(accessToken, key, keycloakSession, userSessionModel, clientSessionContext);
            }
        }
        return accessToken;
    }

    public void transformIDToken(KeycloakSession keycloakSession, IDToken iDToken, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        for (Map.Entry<ProtocolMapperModel, ProtocolMapper> entry : ProtocolMapperUtils.getSortedProtocolMappers(keycloakSession, clientSessionContext)) {
            ProtocolMapperModel key = entry.getKey();
            OIDCIDTokenMapper oIDCIDTokenMapper = (ProtocolMapper) entry.getValue();
            if (oIDCIDTokenMapper instanceof OIDCIDTokenMapper) {
                iDToken = oIDCIDTokenMapper.transformIDToken(iDToken, key, keycloakSession, userSessionModel, clientSessionContext);
            }
        }
    }

    protected AccessToken initToken(RealmModel realmModel, ClientModel clientModel, UserModel userModel, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext, UriInfo uriInfo) {
        AccessToken accessToken = new AccessToken();
        accessToken.id(KeycloakModelUtils.generateId());
        accessToken.type("Bearer");
        accessToken.subject(userModel.getId());
        accessToken.issuedNow();
        accessToken.issuedFor(clientModel.getClientId());
        AuthenticatedClientSessionModel clientSession = clientSessionContext.getClientSession();
        accessToken.issuer(clientSession.getNote(OIDCLoginProtocol.ISSUER));
        accessToken.setNonce((String) clientSessionContext.getAttribute("nonce", String.class));
        accessToken.setScope(clientSessionContext.getScopeString());
        accessToken.setAcr(AuthenticationManager.isSSOAuthentication(clientSession) ? "0" : "1");
        String note = userSessionModel.getNote(AuthenticationManager.AUTH_TIME);
        if (note != null) {
            accessToken.setAuthTime(Integer.parseInt(note));
        }
        accessToken.setSessionState(userSessionModel.getId());
        accessToken.expiration(getTokenExpiration(realmModel, clientModel, userSessionModel, clientSession));
        return accessToken;
    }

    private int getTokenExpiration(RealmModel realmModel, ClientModel clientModel, UserSessionModel userSessionModel, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        int accessTokenLifespan;
        int currentTime;
        boolean z = false;
        String note = authenticatedClientSessionModel.getNote("response_type");
        if (note != null) {
            z = OIDCResponseType.parse(note).isImplicitFlow();
        }
        if (z) {
            accessTokenLifespan = realmModel.getAccessTokenLifespanForImplicitFlow();
        } else {
            String attribute = clientModel.getAttribute(OIDCConfigAttributes.ACCESS_TOKEN_LIFESPAN);
            accessTokenLifespan = (attribute == null || attribute.trim().isEmpty()) ? realmModel.getAccessTokenLifespan() : Integer.parseInt(attribute);
        }
        if (accessTokenLifespan == -1) {
            currentTime = userSessionModel.getStarted() + ((!userSessionModel.isRememberMe() || realmModel.getSsoSessionMaxLifespanRememberMe() <= 0) ? realmModel.getSsoSessionMaxLifespan() : realmModel.getSsoSessionMaxLifespanRememberMe());
        } else {
            currentTime = Time.currentTime() + accessTokenLifespan;
        }
        if (!userSessionModel.isOffline()) {
            int started = userSessionModel.getStarted() + ((!userSessionModel.isRememberMe() || realmModel.getSsoSessionMaxLifespanRememberMe() <= 0) ? realmModel.getSsoSessionMaxLifespan() : realmModel.getSsoSessionMaxLifespanRememberMe());
            currentTime = currentTime <= started ? currentTime : started;
        }
        return currentTime;
    }

    public AccessTokenResponseBuilder responseBuilder(RealmModel realmModel, ClientModel clientModel, EventBuilder eventBuilder, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        return new AccessTokenResponseBuilder(realmModel, clientModel, eventBuilder, keycloakSession, userSessionModel, clientSessionContext);
    }
}
