package org.wso2.carbon.identity.oauth2.token;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import java.security.Key;
import java.security.PrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.ClaimConfig;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.model.Constants;
import org.wso2.carbon.user.core.UserStoreException;
import org.wso2.carbon.user.core.util.UserCoreUtil;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.class */
public class JWTTokenIssuer extends OauthTokenIssuerImpl {
    private static final String NONE = "NONE";
    private static final String SHA256_WITH_RSA = "SHA256withRSA";
    private static final String SHA384_WITH_RSA = "SHA384withRSA";
    private static final String SHA512_WITH_RSA = "SHA512withRSA";
    private static final String PS256 = "PS256";
    private static final String SHA256_WITH_HMAC = "SHA256withHMAC";
    private static final String SHA384_WITH_HMAC = "SHA384withHMAC";
    private static final String SHA512_WITH_HMAC = "SHA512withHMAC";
    private static final String SHA256_WITH_EC = "SHA256withEC";
    private static final String SHA384_WITH_EC = "SHA384withEC";
    private static final String SHA512_WITH_EC = "SHA512withEC";
    private static final String KEY_STORE_EXTENSION = ".jks";
    private static final String AUTHORIZATION_PARTY = "azp";
    private static final String AUDIENCE = "aud";
    private static final String SCOPE = "scope";
    private static final String TOKEN_BINDING_REF = "binding_ref";
    private static final String TOKEN_BINDING_TYPE = "binding_type";
    private static final String EXPIRY_TIME_JWT = "EXPIRY_TIME_JWT";
    private static final String INBOUND_AUTH2_TYPE = "oauth2";
    private Algorithm signatureAlgorithm;
    private static final Log log = LogFactory.getLog(JWTTokenIssuer.class);
    private static Map<Integer, Key> privateKeys = new ConcurrentHashMap();

    public JWTTokenIssuer() throws IdentityOAuth2Exception {
        this.signatureAlgorithm = null;
        if (log.isDebugEnabled()) {
            log.debug("JWT Access token builder is initiated");
        }
        this.signatureAlgorithm = mapSignatureAlgorithm(OAuthServerConfiguration.getInstance().getSignatureAlgorithm());
    }

    @Override // org.wso2.carbon.identity.oauth2.token.OauthTokenIssuerImpl, org.wso2.carbon.identity.oauth2.token.OauthTokenIssuer
    public String accessToken(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws OAuthSystemException {
        if (log.isDebugEnabled()) {
            log.debug("Access token request with token request message context. Authorized user " + oAuthTokenReqMessageContext.getAuthorizedUser().toString());
        }
        try {
            return buildJWTToken(oAuthTokenReqMessageContext);
        } catch (IdentityOAuth2Exception e) {
            throw new OAuthSystemException(e);
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.token.OauthTokenIssuerImpl, org.wso2.carbon.identity.oauth2.token.OauthTokenIssuer
    public String accessToken(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws OAuthSystemException {
        if (log.isDebugEnabled()) {
            log.debug("Access token request with authorization request message context message context. Authorized user " + oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser().toString());
        }
        try {
            return buildJWTToken(oAuthAuthzReqMessageContext);
        } catch (IdentityOAuth2Exception e) {
            throw new OAuthSystemException(e);
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.token.OauthTokenIssuer
    public String getAccessTokenHash(String str) throws OAuthSystemException {
        try {
            String jwtid = JWTParser.parse(str).getJWTClaimsSet().getJWTID();
            if (jwtid == null) {
                throw new OAuthSystemException("JTI could not be retrieved from the JWT token.");
            }
            return jwtid;
        } catch (ParseException e) {
            if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("AccessToken")) {
                log.debug("Error while getting JWTID from token: " + str);
            }
            throw new OAuthSystemException("Error while getting access token hash", e);
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.token.OauthTokenIssuer
    public boolean renewAccessTokenPerRequest() {
        return true;
    }

    protected String buildJWTToken(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder(createJWTClaimSet(null, oAuthTokenReqMessageContext, oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId()));
        if (oAuthTokenReqMessageContext.getScope() != null && Arrays.asList(oAuthTokenReqMessageContext.getScope()).contains("aud")) {
            builder.audience(Arrays.asList(oAuthTokenReqMessageContext.getScope()));
        }
        JWTClaimsSet build = builder.build();
        return JWSAlgorithm.NONE.getName().equals(this.signatureAlgorithm.getName()) ? new PlainJWT(build).serialize() : signJWT(build, oAuthTokenReqMessageContext, null);
    }

    protected String buildJWTToken(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder(createJWTClaimSet(oAuthAuthzReqMessageContext, null, oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey()));
        if (oAuthAuthzReqMessageContext.getApprovedScope() != null && Arrays.asList(oAuthAuthzReqMessageContext.getApprovedScope()).contains("aud")) {
            builder.audience(Arrays.asList(oAuthAuthzReqMessageContext.getApprovedScope()));
        }
        JWTClaimsSet build = builder.build();
        return JWSAlgorithm.NONE.getName().equals(this.signatureAlgorithm.getName()) ? new PlainJWT(build).serialize() : signJWT(build, null, oAuthAuthzReqMessageContext);
    }

    protected String signJWT(JWTClaimsSet jWTClaimsSet, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        if (JWSAlgorithm.RS256.equals(this.signatureAlgorithm) || JWSAlgorithm.RS384.equals(this.signatureAlgorithm) || JWSAlgorithm.RS512.equals(this.signatureAlgorithm) || JWSAlgorithm.PS256.equals(this.signatureAlgorithm)) {
            return signJWTWithRSA(jWTClaimsSet, oAuthTokenReqMessageContext, oAuthAuthzReqMessageContext);
        }
        if (JWSAlgorithm.HS256.equals(this.signatureAlgorithm) || JWSAlgorithm.HS384.equals(this.signatureAlgorithm) || JWSAlgorithm.HS512.equals(this.signatureAlgorithm)) {
            return signJWTWithHMAC(jWTClaimsSet, oAuthTokenReqMessageContext, oAuthAuthzReqMessageContext);
        }
        if (JWSAlgorithm.ES256.equals(this.signatureAlgorithm) || JWSAlgorithm.ES384.equals(this.signatureAlgorithm) || JWSAlgorithm.ES512.equals(this.signatureAlgorithm)) {
            return signJWTWithECDSA(jWTClaimsSet, oAuthTokenReqMessageContext, oAuthAuthzReqMessageContext);
        }
        throw new IdentityOAuth2Exception("Invalid signature algorithm provided. " + this.signatureAlgorithm);
    }

    private String resolveSigningTenantDomain(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        String clientId;
        AuthenticatedUser authorizedUser;
        if (oAuthAuthzReqMessageContext != null) {
            clientId = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey();
            authorizedUser = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser();
        } else {
            if (oAuthTokenReqMessageContext == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Empty OAuthTokenReqMessageContext and OAuthAuthzReqMessageContext. Therefore, could not determine the tenant domain to sign the request.");
                }
                throw new IdentityOAuth2Exception("Could not determine the authenticated user and the service provider");
            }
            clientId = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId();
            authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
        }
        return getSigningTenantDomain(clientId, authorizedUser);
    }

    private String getSigningTenantDomain(String str, AuthenticatedUser authenticatedUser) throws IdentityOAuth2Exception {
        String tenantDomain;
        if (OAuthServerConfiguration.getInstance().getUseSPTenantDomainValue()) {
            if (log.isDebugEnabled()) {
                log.debug("Using the tenant domain of the SP to sign the token");
            }
            if (StringUtils.isBlank(str)) {
                throw new IdentityOAuth2Exception("Empty ClientId. Cannot resolve the tenant domain to sign the token");
            }
            try {
                tenantDomain = OAuth2Util.getAppInformationByClientId(str).getAppOwner().getTenantDomain();
            } catch (InvalidOAuthClientException e) {
                throw new IdentityOAuth2Exception("Error occurred while getting the application information by client id: " + str, (Throwable) e);
            }
        } else {
            if (log.isDebugEnabled()) {
                log.debug("Using the tenant domain of the user to sign the token");
            }
            if (authenticatedUser == null) {
                throw new IdentityOAuth2Exception("Authenticated user is not set. Cannot resolve the tenant domain to sign the token");
            }
            tenantDomain = authenticatedUser.getTenantDomain();
        }
        if (StringUtils.isBlank(tenantDomain)) {
            throw new IdentityOAuth2Exception("Cannot resolve the tenant domain to sign the token");
        }
        if (log.isDebugEnabled()) {
            log.debug(String.format("Tenant domain: %s will be used to sign the token for the authenticated user: %s", tenantDomain, authenticatedUser.toFullQualifiedUsername()));
        }
        return tenantDomain;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v26, types: [java.security.Key] */
    /* JADX WARN: Type inference failed for: r0v41, types: [java.security.Key] */
    protected String signJWTWithRSA(JWTClaimsSet jWTClaimsSet, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        PrivateKey defaultPrivateKey;
        try {
            String resolveSigningTenantDomain = resolveSigningTenantDomain(oAuthTokenReqMessageContext, oAuthAuthzReqMessageContext);
            int tenantId = IdentityTenantUtil.getTenantId(resolveSigningTenantDomain);
            JWTClaimsSet signerRealm = setSignerRealm(resolveSigningTenantDomain, jWTClaimsSet);
            if (privateKeys.containsKey(Integer.valueOf(tenantId))) {
                defaultPrivateKey = privateKeys.get(Integer.valueOf(tenantId));
            } else {
                KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
                if ("carbon.super".equals(resolveSigningTenantDomain)) {
                    try {
                        defaultPrivateKey = keyStoreManager.getDefaultPrivateKey();
                    } catch (Exception e) {
                        throw new IdentityOAuth2Exception("Error while obtaining private key for super tenant", e);
                    }
                } else {
                    defaultPrivateKey = keyStoreManager.getPrivateKey(resolveSigningTenantDomain.trim().replace(Constants.FULL_STOP_DELIMITER, Constants.DASH_DELIMITER) + ".jks", resolveSigningTenantDomain);
                }
                privateKeys.put(Integer.valueOf(tenantId), defaultPrivateKey);
            }
            JWSSigner createJWSSigner = OAuth2Util.createJWSSigner((RSAPrivateKey) defaultPrivateKey);
            JWSHeader.Builder builder = new JWSHeader.Builder(this.signatureAlgorithm);
            builder.keyID(OAuth2Util.getKID(OAuth2Util.getCertificate(resolveSigningTenantDomain, tenantId), this.signatureAlgorithm, resolveSigningTenantDomain));
            builder.x509CertThumbprint(new Base64URL(OAuth2Util.getSHA1ThumbPrint(resolveSigningTenantDomain, tenantId)));
            SignedJWT signedJWT = new SignedJWT(builder.build(), signerRealm);
            signedJWT.sign(createJWSSigner);
            return signedJWT.serialize();
        } catch (JOSEException e2) {
            throw new IdentityOAuth2Exception("Error occurred while signing JWT", (Throwable) e2);
        }
    }

    protected String signJWTWithHMAC(JWTClaimsSet jWTClaimsSet, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        throw new IdentityOAuth2Exception("Given signature algorithm " + this.signatureAlgorithm + " is not supported by the current implementation.");
    }

    protected String signJWTWithECDSA(JWTClaimsSet jWTClaimsSet, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        throw new IdentityOAuth2Exception("Given signature algorithm " + this.signatureAlgorithm + " is not supported by the current implementation.");
    }

    protected JWSAlgorithm mapSignatureAlgorithm(String str) throws IdentityOAuth2Exception {
        if (StringUtils.isNotBlank(str)) {
            boolean z = -1;
            switch (str.hashCode()) {
                case -1769322313:
                    if (str.equals(SHA512_WITH_HMAC)) {
                        z = 7;
                        break;
                    }
                    break;
                case -794853417:
                    if (str.equals(SHA384_WITH_RSA)) {
                        z = 2;
                        break;
                    }
                    break;
                case -701778709:
                    if (str.equals(SHA256_WITH_EC)) {
                        z = 8;
                        break;
                    }
                    break;
                case -611254448:
                    if (str.equals(SHA512_WITH_RSA)) {
                        z = 3;
                        break;
                    }
                    break;
                case -280290445:
                    if (str.equals(SHA256_WITH_RSA)) {
                        z = true;
                        break;
                    }
                    break;
                case -99372812:
                    if (str.equals(SHA256_WITH_HMAC)) {
                        z = 5;
                        break;
                    }
                    break;
                case 2402104:
                    if (str.equals(NONE)) {
                        z = false;
                        break;
                    }
                    break;
                case 76404080:
                    if (str.equals(PS256)) {
                        z = 4;
                        break;
                    }
                    break;
                case 534471022:
                    if (str.equals(SHA512_WITH_EC)) {
                        z = 10;
                        break;
                    }
                    break;
                case 944190471:
                    if (str.equals(SHA384_WITH_EC)) {
                        z = 9;
                        break;
                    }
                    break;
                case 1129044240:
                    if (str.equals(SHA384_WITH_HMAC)) {
                        z = 6;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return new JWSAlgorithm(JWSAlgorithm.NONE.getName());
                case true:
                    return JWSAlgorithm.RS256;
                case true:
                    return JWSAlgorithm.RS384;
                case Constants.NUMBER_OF_PARTS_IN_JWS /* 3 */:
                    return JWSAlgorithm.RS512;
                case true:
                    return JWSAlgorithm.PS256;
                case Constants.NUMBER_OF_PARTS_IN_JWE /* 5 */:
                    return JWSAlgorithm.HS256;
                case org.wso2.carbon.identity.oauth2.device.constants.Constants.KEY_LENGTH /* 6 */:
                    return JWSAlgorithm.HS384;
                case true:
                    return JWSAlgorithm.HS512;
                case true:
                    return JWSAlgorithm.ES256;
                case true:
                    return JWSAlgorithm.ES384;
                case RefreshGrantHandler.LAST_ACCESS_TOKEN_RETRIEVAL_LIMIT /* 10 */:
                    return JWSAlgorithm.ES512;
            }
        }
        throw new IdentityOAuth2Exception("Unsupported Signature Algorithm in identity.xml");
    }

    protected JWTClaimsSet createJWTClaimSet(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, String str) throws IdentityOAuth2Exception {
        long accessTokenLifeTimeInMillis;
        String tenantDomain;
        try {
            OAuthAppDO appInformationByClientId = OAuth2Util.getAppInformationByClientId(str);
            if (oAuthAuthzReqMessageContext != null) {
                accessTokenLifeTimeInMillis = getAccessTokenLifeTimeInMillis(oAuthAuthzReqMessageContext, appInformationByClientId, str);
                tenantDomain = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getTenantDomain();
            } else {
                accessTokenLifeTimeInMillis = getAccessTokenLifeTimeInMillis(oAuthTokenReqMessageContext, appInformationByClientId, str);
                tenantDomain = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
            }
            String idTokenIssuer = OAuth2Util.getIdTokenIssuer(tenantDomain);
            long timeInMillis = Calendar.getInstance().getTimeInMillis();
            String subjectClaim = getSubjectClaim(str, tenantDomain, getAuthenticatedUser(oAuthAuthzReqMessageContext, oAuthTokenReqMessageContext));
            JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
            builder.issuer(idTokenIssuer);
            builder.subject(subjectClaim);
            builder.claim(AUTHORIZATION_PARTY, str);
            builder.issueTime(new Date(timeInMillis));
            builder.jwtID(UUID.randomUUID().toString());
            builder.notBeforeTime(new Date(timeInMillis));
            String scope = getScope(oAuthAuthzReqMessageContext, oAuthTokenReqMessageContext);
            if (StringUtils.isNotEmpty(scope)) {
                builder.claim("scope", scope);
            }
            builder.claim("aut", getAuthorizedUserType(oAuthAuthzReqMessageContext, oAuthTokenReqMessageContext));
            builder.expirationTime(calculateAccessTokenExpiryTime(Long.valueOf(accessTokenLifeTimeInMillis), Long.valueOf(timeInMillis)));
            builder.audience(OAuth2Util.getOIDCAudience(str, appInformationByClientId));
            if (oAuthAuthzReqMessageContext != null) {
                handleCustomClaims(builder, oAuthAuthzReqMessageContext);
            } else {
                handleCustomClaims(builder, oAuthTokenReqMessageContext);
            }
            return handleTokenBinding(builder, oAuthTokenReqMessageContext);
        } catch (InvalidOAuthClientException e) {
            throw new IdentityOAuth2Exception("Error while retrieving app information for clientId: " + str, (Throwable) e);
        }
    }

    private Date calculateAccessTokenExpiryTime(Long l, Long l2) {
        Date date = l2.longValue() + l.longValue() < l2.longValue() ? new Date(Long.MAX_VALUE) : new Date(l2.longValue() + l.longValue());
        if (log.isDebugEnabled()) {
            log.debug("Access token expiry time : " + date + "ms.");
        }
        return date;
    }

    private String getAuthorizedUserType(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        return oAuthTokenReqMessageContext != null ? (String) oAuthTokenReqMessageContext.getProperty("USER_TYPE") : (String) oAuthAuthzReqMessageContext.getProperty("USER_TYPE");
    }

    private String getAuthenticatedSubjectIdentifier(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        return getAuthenticatedUser(oAuthAuthzReqMessageContext, oAuthTokenReqMessageContext).getAuthenticatedSubjectIdentifier();
    }

    private String getSubjectClaim(String str, String str2, AuthenticatedUser authenticatedUser) throws IdentityOAuth2Exception {
        String authenticatedSubjectIdentifier;
        if (isLocalUser(authenticatedUser)) {
            ServiceProvider serviceProvider = getServiceProvider(str2, str);
            if (serviceProvider == null) {
                throw new IdentityOAuth2Exception("Cannot find an service provider for client_id: " + str + " in tenantDomain: " + str2);
            }
            authenticatedSubjectIdentifier = getSubjectClaimForLocalUser(serviceProvider, authenticatedUser);
            if (log.isDebugEnabled()) {
                log.debug("Subject claim: " + authenticatedSubjectIdentifier + " set for local user: " + authenticatedUser + " for application: " + str + " of tenantDomain: " + str2);
            }
        } else {
            authenticatedSubjectIdentifier = authenticatedUser.getAuthenticatedSubjectIdentifier();
            if (log.isDebugEnabled()) {
                log.debug("Subject claim: " + authenticatedSubjectIdentifier + " set for federated user: " + authenticatedUser + " for application: " + str + " of tenantDomain: " + str2);
            }
        }
        return authenticatedSubjectIdentifier;
    }

    private ServiceProvider getServiceProvider(String str, String str2) throws IdentityOAuth2Exception {
        ApplicationManagementService applicationMgtService = OAuth2ServiceComponentHolder.getApplicationMgtService();
        try {
            return applicationMgtService.getApplicationExcludingFileBasedSPs(applicationMgtService.getServiceProviderNameByClientId(str2, "oauth2", str), str);
        } catch (IdentityApplicationManagementException e) {
            throw new IdentityOAuth2Exception("Error while getting service provider information for client_id: " + str2 + " tenantDomain: " + str, (Throwable) e);
        }
    }

    private boolean isLocalUser(AuthenticatedUser authenticatedUser) {
        return !authenticatedUser.isFederatedUser();
    }

    private String getSubjectClaimForLocalUser(ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser) throws IdentityOAuth2Exception {
        String formattedSubjectClaim;
        String userName = authenticatedUser.getUserName();
        String userStoreDomain = authenticatedUser.getUserStoreDomain();
        String tenantDomain = authenticatedUser.getTenantDomain();
        String subjectClaimUriInLocalDialect = getSubjectClaimUriInLocalDialect(serviceProvider);
        if (StringUtils.isNotBlank(subjectClaimUriInLocalDialect)) {
            String fullQualifiedUsername = authenticatedUser.toFullQualifiedUsername();
            try {
                String subjectClaimFromUserStore = getSubjectClaimFromUserStore(subjectClaimUriInLocalDialect, authenticatedUser);
                if (StringUtils.isBlank(subjectClaimFromUserStore)) {
                    subjectClaimFromUserStore = userName;
                    log.warn("Cannot find subject claim: " + subjectClaimUriInLocalDialect + " for user:" + fullQualifiedUsername + ". Defaulting to username: " + subjectClaimFromUserStore + " as the subject identifier.");
                }
                formattedSubjectClaim = getFormattedSubjectClaim(serviceProvider, subjectClaimFromUserStore, userStoreDomain, tenantDomain);
            } catch (UserStoreException e) {
                throw new IdentityOAuth2Exception("Error occurred while getting subject claim: " + subjectClaimUriInLocalDialect + " for user: " + fullQualifiedUsername, (Throwable) e);
            } catch (IdentityException e2) {
                throw new IdentityOAuth2Exception("Error occurred while getting user claim for user: " + authenticatedUser + ", claim: " + subjectClaimUriInLocalDialect, (Throwable) e2);
            }
        } else {
            formattedSubjectClaim = getFormattedSubjectClaim(serviceProvider, userName, userStoreDomain, tenantDomain);
            if (log.isDebugEnabled()) {
                log.debug("No subject claim defined for service provider: " + serviceProvider.getApplicationName() + ". Using username as the subject claim.");
            }
        }
        return formattedSubjectClaim;
    }

    private String getFormattedSubjectClaim(ServiceProvider serviceProvider, String str, String str2, String str3) {
        boolean isUseUserstoreDomainInLocalSubjectIdentifier = serviceProvider.getLocalAndOutBoundAuthenticationConfig().isUseUserstoreDomainInLocalSubjectIdentifier();
        if (serviceProvider.getLocalAndOutBoundAuthenticationConfig().isUseTenantDomainInLocalSubjectIdentifier()) {
            str = UserCoreUtil.addTenantDomainToEntry(str, str3);
        }
        if (isUseUserstoreDomainInLocalSubjectIdentifier) {
            str = IdentityUtil.addDomainToName(str, str2);
        }
        return str;
    }

    private String getSubjectClaimUriInLocalDialect(ServiceProvider serviceProvider) {
        String subjectClaimUri = serviceProvider.getLocalAndOutBoundAuthenticationConfig().getSubjectClaimUri();
        if (log.isDebugEnabled()) {
            if (StringUtils.isNotBlank(subjectClaimUri)) {
                log.debug(subjectClaimUri + " is defined as subject claim for service provider: " + serviceProvider.getApplicationName());
            } else {
                log.debug("No subject claim defined for service provider: " + serviceProvider.getApplicationName());
            }
        }
        return getSubjectClaimUriInLocalDialect(serviceProvider, subjectClaimUri);
    }

    private String getSubjectClaimUriInLocalDialect(ServiceProvider serviceProvider, String str) {
        ClaimConfig claimConfig;
        if (StringUtils.isNotBlank(str) && (claimConfig = serviceProvider.getClaimConfig()) != null) {
            boolean isLocalClaimDialect = claimConfig.isLocalClaimDialect();
            ClaimMapping[] claimMappings = claimConfig.getClaimMappings();
            if (!isLocalClaimDialect && ArrayUtils.isNotEmpty(claimMappings)) {
                for (ClaimMapping claimMapping : claimMappings) {
                    if (StringUtils.equals(claimMapping.getRemoteClaim().getClaimUri(), str)) {
                        return claimMapping.getLocalClaim().getClaimUri();
                    }
                }
            }
        }
        return str;
    }

    private String getSubjectClaimFromUserStore(String str, AuthenticatedUser authenticatedUser) throws UserStoreException, IdentityException {
        return IdentityTenantUtil.getRealm(authenticatedUser.getTenantDomain(), authenticatedUser.toFullQualifiedUsername()).getUserStoreManager().getSecondaryUserStoreManager(authenticatedUser.getUserStoreDomain()).getUserClaimValue(authenticatedUser.getUserName(), str, (String) null);
    }

    private AuthenticatedUser getAuthenticatedUser(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        AuthenticatedUser user = oAuthAuthzReqMessageContext != null ? oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser() : oAuthTokenReqMessageContext.getAuthorizedUser();
        if (user == null) {
            throw new IdentityOAuth2Exception("Authenticated user is null for the request.");
        }
        return user;
    }

    private String getScope(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        String str = null;
        String[] scope = oAuthTokenReqMessageContext != null ? oAuthTokenReqMessageContext.getScope() : oAuthAuthzReqMessageContext.getApprovedScope();
        if (ArrayUtils.isNotEmpty(scope)) {
            str = OAuth2Util.buildScopeString(scope);
            if (log.isDebugEnabled()) {
                log.debug("Scope exist for the jwt access token with subject " + getAuthenticatedSubjectIdentifier(oAuthAuthzReqMessageContext, oAuthTokenReqMessageContext) + " and the scope is " + str);
            }
        }
        return str;
    }

    protected long getAccessTokenLifeTimeInMillis(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuthAppDO oAuthAppDO, String str) throws IdentityOAuth2Exception {
        long userAccessTokenExpiryTime = oAuthAppDO.getUserAccessTokenExpiryTime() * 1000;
        if (userAccessTokenExpiryTime == 0) {
            userAccessTokenExpiryTime = OAuthServerConfiguration.getInstance().getUserAccessTokenValidityPeriodInSeconds() * 1000;
            if (log.isDebugEnabled()) {
                log.debug("User access token time was 0ms. Setting default user access token lifetime : " + userAccessTokenExpiryTime + "ms.");
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("JWT Self Signed Access Token Life time set to : " + userAccessTokenExpiryTime + "ms.");
        }
        return userAccessTokenExpiryTime;
    }

    protected long getAccessTokenLifeTimeInMillis(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuthAppDO oAuthAppDO, String str) throws IdentityOAuth2Exception {
        long applicationAccessTokenExpiryTime;
        boolean isUserAccessTokenType = isUserAccessTokenType(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType());
        if (isUserAccessTokenType) {
            applicationAccessTokenExpiryTime = oAuthAppDO.getUserAccessTokenExpiryTime() * 1000;
            if (log.isDebugEnabled()) {
                log.debug("User Access Token Life time set to : " + applicationAccessTokenExpiryTime + "ms.");
            }
        } else {
            applicationAccessTokenExpiryTime = oAuthAppDO.getApplicationAccessTokenExpiryTime() * 1000;
            if (log.isDebugEnabled()) {
                log.debug("Application Access Token Life time set to : " + applicationAccessTokenExpiryTime + "ms.");
            }
        }
        if (applicationAccessTokenExpiryTime == 0) {
            if (isUserAccessTokenType) {
                applicationAccessTokenExpiryTime = OAuthServerConfiguration.getInstance().getUserAccessTokenValidityPeriodInSeconds() * 1000;
                if (log.isDebugEnabled()) {
                    log.debug("User access token time was 0ms. Setting default user access token lifetime : " + applicationAccessTokenExpiryTime + "ms.");
                }
            } else {
                applicationAccessTokenExpiryTime = OAuthServerConfiguration.getInstance().getApplicationAccessTokenValidityPeriodInSeconds() * 1000;
                if (log.isDebugEnabled()) {
                    log.debug("Application access token time was 0ms. Setting default Application access token lifetime : " + applicationAccessTokenExpiryTime + "ms.");
                }
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("JWT Self Signed Access Token Life time set to : " + applicationAccessTokenExpiryTime + "ms.");
        }
        return applicationAccessTokenExpiryTime;
    }

    protected JWTClaimsSet handleCustomClaims(JWTClaimsSet.Builder builder, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        return OAuthServerConfiguration.getInstance().getOpenIDConnectCustomClaimsCallbackHandler().handleCustomClaims(builder, oAuthTokenReqMessageContext);
    }

    protected JWTClaimsSet handleCustomClaims(JWTClaimsSet.Builder builder, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        return OAuthServerConfiguration.getInstance().getOpenIDConnectCustomClaimsCallbackHandler().handleCustomClaims(builder, oAuthAuthzReqMessageContext);
    }

    private boolean isUserAccessTokenType(String str) throws IdentityOAuth2Exception {
        return OAuthServerConfiguration.getInstance().getSupportedGrantTypes().get(str).isOfTypeApplicationUser();
    }

    private JWTClaimsSet handleTokenBinding(JWTClaimsSet.Builder builder, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        if (oAuthTokenReqMessageContext != null && oAuthTokenReqMessageContext.getTokenBinding() != null) {
            builder.claim(TOKEN_BINDING_REF, oAuthTokenReqMessageContext.getTokenBinding().getBindingReference());
            builder.claim(TOKEN_BINDING_TYPE, oAuthTokenReqMessageContext.getTokenBinding().getBindingType());
        }
        return builder.build();
    }

    private JWTClaimsSet setSignerRealm(String str, JWTClaimsSet jWTClaimsSet) {
        HashMap hashMap = new HashMap();
        if (!OAuthServerConfiguration.getInstance().getUseSPTenantDomainValue()) {
            hashMap.put("signing_tenant", str);
            if (log.isDebugEnabled()) {
                log.debug("Setting authorized user tenant domain : " + str + " used for signing the token to the 'realm' claim of jwt token");
            }
            JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder(jWTClaimsSet);
            builder.claim("realm", hashMap);
            jWTClaimsSet = builder.build();
        }
        return jWTClaimsSet;
    }
}
