package org.wso2.carbon.identity.oauth2.token;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.message.types.GrantType;
import org.owasp.encoder.Encode;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.ClaimConfig;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.application.common.model.ServiceProviderProperty;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.cache.AppInfoCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth.event.OAuthEventInterceptor;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.IDTokenValidationFailureException;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.Oauth2ScopeConstants;
import org.wso2.carbon.identity.oauth2.ResponseHeader;
import org.wso2.carbon.identity.oauth2.bean.OAuthClientAuthnContext;
import org.wso2.carbon.identity.oauth2.device.errorcodes.DeviceErrorCodes;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.internal.OAuthApplicationMgtListener;
import org.wso2.carbon.identity.oauth2.token.bindings.TokenBinder;
import org.wso2.carbon.identity.oauth2.token.bindings.TokenBinding;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.validators.JDBCPermissionBasedInternalScopeValidator;
import org.wso2.carbon.identity.oauth2.validators.RefreshTokenValidator;
import org.wso2.carbon.identity.oauth2.validators.RoleBasedInternalScopeValidator;
import org.wso2.carbon.identity.openidconnect.model.Constants;
import org.wso2.carbon.user.core.UserStoreException;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.CarbonUtils;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.class */
public class AccessTokenIssuer {
    private static AccessTokenIssuer instance;
    private static final Log log = LogFactory.getLog(AccessTokenIssuer.class);
    private Map<String, AuthorizationGrantHandler> authzGrantHandlers = OAuthServerConfiguration.getInstance().getSupportedGrantTypes();
    public static final String OAUTH_APP_DO = "OAuthAppDO";

    private AccessTokenIssuer() throws IdentityOAuth2Exception {
        if (AppInfoCache.getInstance() == null) {
            log.error("Error while creating AppInfoCache");
        } else if (log.isDebugEnabled()) {
            log.debug("Successfully created AppInfoCache under OAuthCacheManager");
        }
    }

    public static AccessTokenIssuer getInstance() throws IdentityOAuth2Exception {
        CarbonUtils.checkSecurity();
        if (instance == null) {
            synchronized (AccessTokenIssuer.class) {
                if (instance == null) {
                    instance = new AccessTokenIssuer();
                }
            }
        }
        return instance;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r21v0, types: [java.lang.Throwable, org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception] */
    /* JADX WARN: Type inference failed for: r23v0, types: [java.lang.Throwable, org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception] */
    public OAuth2AccessTokenRespDTO issue(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) throws IdentityException {
        String grantType = oAuth2AccessTokenReqDTO.getGrantType();
        OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO = null;
        AuthorizationGrantHandler authorizationGrantHandler = this.authzGrantHandlers.get(grantType);
        OAuthTokenReqMessageContext oAuthTokenReqMessageContext = new OAuthTokenReqMessageContext(oAuth2AccessTokenReqDTO);
        boolean equals = GrantType.REFRESH_TOKEN.toString().equals(grantType);
        triggerPreListeners(oAuth2AccessTokenReqDTO, oAuthTokenReqMessageContext, equals);
        OAuthClientAuthnContext oAuthClientAuthnContext = oAuth2AccessTokenReqDTO.getoAuthClientAuthnContext();
        if (oAuthClientAuthnContext == null) {
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                HashMap hashMap = new HashMap();
                hashMap.put("clientId", oAuth2AccessTokenReqDTO.getClientId());
                if (StringUtils.isNotBlank(oAuth2AccessTokenReqDTO.getClientSecret())) {
                    hashMap.put("clientSecret", oAuth2AccessTokenReqDTO.getClientSecret().replaceAll(Constants.FULL_STOP_DELIMITER, "*"));
                }
                LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap, "FAILED", "OAuth client authentication failed.", "issue-access-token", (Map) null);
            }
            oAuthClientAuthnContext = new OAuthClientAuthnContext();
            oAuthClientAuthnContext.setAuthenticated(false);
            oAuthClientAuthnContext.setErrorMessage("Client Authentication Failed");
            oAuthClientAuthnContext.setErrorCode("invalid_request");
        }
        if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) {
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                HashMap hashMap2 = new HashMap();
                hashMap2.put("clientId", oAuth2AccessTokenReqDTO.getClientId());
                hashMap2.put("clientAuthenticators", oAuthClientAuthnContext.getExecutedAuthenticators());
                LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap2, "FAILED", "The client MUST NOT use more than one authentication method per request.", "issue-access-token", (Map) null);
            }
            OAuth2AccessTokenRespDTO handleError = handleError("invalid_request", "The client MUST NOT use more than one authentication method in each", oAuth2AccessTokenReqDTO);
            setResponse(oAuthTokenReqMessageContext, handleError);
            triggerPostListeners(oAuth2AccessTokenReqDTO, handleError, oAuthTokenReqMessageContext, equals);
            return handleError;
        }
        boolean isAuthenticated = oAuthClientAuthnContext.isAuthenticated();
        if (authorizationGrantHandler == null) {
            String str = "Unsupported grant type : " + grantType + ", is used.";
            if (log.isDebugEnabled()) {
                log.debug(str);
            }
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                HashMap hashMap3 = new HashMap();
                hashMap3.put("clientId", oAuth2AccessTokenReqDTO.getClientId());
                hashMap3.put("grantType", grantType);
                LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap3, "FAILED", "Unsupported grant type.", "issue-access-token", (Map) null);
            }
            OAuth2AccessTokenRespDTO handleError2 = handleError("unsupported_grant_type", str, oAuth2AccessTokenReqDTO);
            setResponse(oAuthTokenReqMessageContext, handleError2);
            triggerPostListeners(oAuth2AccessTokenReqDTO, handleError2, oAuthTokenReqMessageContext, equals);
            return handleError2;
        }
        if (!authorizationGrantHandler.isConfidentialClient() && StringUtils.isNotEmpty(oAuthClientAuthnContext.getClientId())) {
            isAuthenticated = true;
        }
        if (!isAuthenticated && !oAuthClientAuthnContext.isPreviousAuthenticatorEngaged() && authorizationGrantHandler.isConfidentialClient()) {
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                HashMap hashMap4 = new HashMap();
                hashMap4.put("clientId", oAuth2AccessTokenReqDTO.getClientId());
                LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap4, "FAILED", "Unsupported client authentication method.", "issue-access-token", (Map) null);
            }
            OAuth2AccessTokenRespDTO handleError3 = handleError("invalid_client", "Unsupported Client Authentication Method!", oAuth2AccessTokenReqDTO);
            setResponse(oAuthTokenReqMessageContext, handleError3);
            triggerPostListeners(oAuth2AccessTokenReqDTO, handleError3, oAuthTokenReqMessageContext, equals);
            return handleError3;
        }
        if (!isAuthenticated) {
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                HashMap hashMap5 = new HashMap();
                hashMap5.put("clientId", oAuth2AccessTokenReqDTO.getClientId());
                LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap5, "FAILED", "Client authentication failed. " + oAuthClientAuthnContext.getErrorMessage(), "issue-access-token", (Map) null);
            }
            OAuth2AccessTokenRespDTO handleError4 = handleError(oAuthClientAuthnContext.getErrorCode(), oAuthClientAuthnContext.getErrorMessage(), oAuth2AccessTokenReqDTO);
            setResponse(oAuthTokenReqMessageContext, handleError4);
            triggerPostListeners(oAuth2AccessTokenReqDTO, handleError4, oAuthTokenReqMessageContext, equals);
            return handleError4;
        }
        OAuthAppDO oAuthApplication = getOAuthApplication(oAuth2AccessTokenReqDTO.getClientId());
        String tenantDomainOfOauthApp = OAuth2Util.getTenantDomainOfOauthApp(oAuthApplication);
        OAuth2Util.validateRequestTenantDomain(tenantDomainOfOauthApp, oAuth2AccessTokenReqDTO);
        oAuth2AccessTokenReqDTO.setTenantDomain(tenantDomainOfOauthApp);
        oAuthTokenReqMessageContext.addProperty("OAuthAppDO", oAuthApplication);
        if (authorizationGrantHandler.isOfTypeApplicationUser()) {
            oAuthTokenReqMessageContext.addProperty("USER_TYPE", "APPLICATION_USER");
        } else {
            oAuthTokenReqMessageContext.setAuthorizedUser(oAuthApplication.getAppOwner());
            oAuthTokenReqMessageContext.addProperty("USER_TYPE", "APPLICATION");
        }
        boolean z = false;
        String str2 = "The authenticated client is not authorized to use this authorization grant type";
        try {
            z = authorizationGrantHandler.isAuthorizedClient(oAuthTokenReqMessageContext);
        } catch (IdentityOAuth2Exception e) {
            if (log.isDebugEnabled()) {
                log.debug("Error occurred while validating client for authorization", e);
            }
            LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", (Map) null, "FAILED", "System error occurred.", "issue-access-token", (Map) null);
            str2 = e.getMessage();
        }
        if (!z) {
            if (log.isDebugEnabled()) {
                log.debug("Client Id: " + oAuth2AccessTokenReqDTO.getClientId() + " is not authorized to use grant type: " + grantType);
            }
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                HashMap hashMap6 = new HashMap();
                hashMap6.put("clientId", oAuth2AccessTokenReqDTO.getClientId());
                hashMap6.put("grantType", grantType);
                LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap6, "FAILED", "Client is not authorized to use the requested grant type.", "issue-access-token", (Map) null);
            }
            OAuth2AccessTokenRespDTO handleError5 = handleError(DeviceErrorCodes.UNAUTHORIZED_CLIENT, str2, oAuth2AccessTokenReqDTO);
            setResponse(oAuthTokenReqMessageContext, handleError5);
            triggerPostListeners(oAuth2AccessTokenReqDTO, handleError5, oAuthTokenReqMessageContext, equals);
            return handleError5;
        }
        boolean z2 = false;
        String str3 = "Provided Authorization Grant is invalid";
        String str4 = DeviceErrorCodes.UNSUPPORTED_GRANT_TYPE;
        try {
            z2 = authorizationGrantHandler.validateGrant(oAuthTokenReqMessageContext);
        } catch (IdentityOAuth2Exception e2) {
            if (log.isDebugEnabled()) {
                log.debug("Error occurred while validating grant", e2);
            }
            if (e2.getErrorCode() != null) {
                str4 = e2.getErrorCode();
            }
            str3 = e2.getMessage();
            if (e2.getErrorCode() != null) {
                str4 = e2.getErrorCode();
            }
        }
        if (oAuthTokenReqMessageContext.getAuthorizedUser() != null && oAuthTokenReqMessageContext.getAuthorizedUser().isFederatedUser()) {
            oAuthTokenReqMessageContext.getAuthorizedUser().setTenantDomain(tenantDomainOfOauthApp);
        }
        if (!z2) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid Grant provided by the client Id: " + oAuth2AccessTokenReqDTO.getClientId());
            }
            OAuth2AccessTokenRespDTO handleError6 = handleError(str4, str3, oAuth2AccessTokenReqDTO);
            setResponse(oAuthTokenReqMessageContext, handleError6);
            triggerPostListeners(oAuth2AccessTokenReqDTO, handleError6, oAuthTokenReqMessageContext, equals);
            return handleError6;
        }
        if (!authorizationGrantHandler.authorizeAccessDelegation(oAuthTokenReqMessageContext)) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid authorization for client Id : " + oAuth2AccessTokenReqDTO.getClientId());
            }
            OAuth2AccessTokenRespDTO handleError7 = handleError(DeviceErrorCodes.UNAUTHORIZED_CLIENT, "Unauthorized Client!", oAuth2AccessTokenReqDTO);
            setResponse(oAuthTokenReqMessageContext, handleError7);
            triggerPostListeners(oAuth2AccessTokenReqDTO, handleError7, oAuthTokenReqMessageContext, equals);
            return handleError7;
        }
        List<String> allowedScopes = OAuthServerConfiguration.getInstance().getAllowedScopes();
        ArrayList arrayList = new ArrayList();
        String[] scope = oAuthTokenReqMessageContext.getScope();
        ArrayList arrayList2 = new ArrayList();
        if (scope != null) {
            for (String str5 : scope) {
                if (OAuth2Util.isAllowedScope(allowedScopes, str5)) {
                    arrayList.add(str5);
                } else {
                    arrayList2.add(str5);
                }
            }
            oAuthTokenReqMessageContext.setScope((String[]) arrayList2.toArray(new String[0]));
        }
        String[] strArr = new String[0];
        if (getServiceProvider(oAuth2AccessTokenReqDTO).isManagementApp()) {
            if (log.isDebugEnabled()) {
                log.debug("Handling the internal scope validation.");
            }
            strArr = new JDBCPermissionBasedInternalScopeValidator().validateScope(oAuthTokenReqMessageContext);
            if (IdentityUtil.isSystemRolesEnabled()) {
                strArr = (String[]) ArrayUtils.addAll(strArr, new RoleBasedInternalScopeValidator().validateScope(oAuthTokenReqMessageContext));
            }
        } else if (log.isDebugEnabled()) {
            log.debug("Skipping the internal scope validation as the application is not configured as Management App");
        }
        removeInternalScopes(oAuthTokenReqMessageContext);
        oAuthTokenReqMessageContext.setAuthorizedInternalScopes(strArr);
        if (OAuthServerConfiguration.getInstance().isDropUnregisteredScopes()) {
            if (log.isDebugEnabled()) {
                log.debug("DropUnregisteredScopes config is enabled. Attempting to drop unregistered scopes.");
            }
            oAuthTokenReqMessageContext.setScope(OAuth2Util.dropUnregisteredScopes(oAuthTokenReqMessageContext.getScope(), oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain()));
        }
        if (!authorizationGrantHandler.validateScope(oAuthTokenReqMessageContext)) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid scope provided by client Id: " + oAuth2AccessTokenReqDTO.getClientId());
            }
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                HashMap hashMap7 = new HashMap();
                hashMap7.put("clientId", oAuth2AccessTokenReqDTO.getClientId());
                if (ArrayUtils.isNotEmpty(oAuth2AccessTokenReqDTO.getScope())) {
                    hashMap7.put("scope", Arrays.asList(oAuth2AccessTokenReqDTO.getScope()));
                }
                LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap7, "FAILED", "Invalid scope provided in the request.", "validate-scope", (Map) null);
            }
            OAuth2AccessTokenRespDTO handleError8 = handleError("invalid_scope", "Invalid Scope!", oAuth2AccessTokenReqDTO);
            setResponse(oAuthTokenReqMessageContext, handleError8);
            triggerPostListeners(oAuth2AccessTokenReqDTO, handleError8, oAuthTokenReqMessageContext, equals);
            return handleError8;
        }
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            HashMap hashMap8 = new HashMap();
            hashMap8.put("clientId", oAuth2AccessTokenReqDTO.getClientId());
            if (ArrayUtils.isNotEmpty(oAuth2AccessTokenReqDTO.getScope())) {
                hashMap8.put("scope", Arrays.asList(oAuth2AccessTokenReqDTO.getScope()));
            }
            LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap8, "SUCCESS", "OAuth scope validation is successful.", "validate-scope", (Map) null);
        }
        addAuthorizedInternalScopes(oAuthTokenReqMessageContext, oAuthTokenReqMessageContext.getAuthorizedInternalScopes());
        addAllowedScopes(oAuthTokenReqMessageContext, (String[]) arrayList.toArray(new String[0]));
        handleTokenBinding(oAuth2AccessTokenReqDTO, grantType, oAuthTokenReqMessageContext, oAuthApplication);
        try {
            OAuth2Util.setTokenRequestContext(oAuthTokenReqMessageContext);
            AuthenticatedUser authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
            if (authorizedUser.getAuthenticatedSubjectIdentifier() == null) {
                authorizedUser.setAuthenticatedSubjectIdentifier(getSubjectClaim(getServiceProvider(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO()), authorizedUser));
            }
            oAuth2AccessTokenRespDTO = authorizationGrantHandler.issue(oAuthTokenReqMessageContext);
            if (oAuth2AccessTokenRespDTO.isError()) {
                setResponse(oAuthTokenReqMessageContext, oAuth2AccessTokenRespDTO);
                triggerPostListeners(oAuth2AccessTokenReqDTO, oAuth2AccessTokenRespDTO, oAuthTokenReqMessageContext, equals);
                OAuth2Util.clearTokenRequestContext();
                return oAuth2AccessTokenRespDTO;
            }
            triggerPostListeners(oAuth2AccessTokenReqDTO, oAuth2AccessTokenRespDTO, oAuthTokenReqMessageContext, equals);
            OAuth2Util.clearTokenRequestContext();
            oAuth2AccessTokenRespDTO.setCallbackURI(oAuthApplication.getCallbackUrl());
            String[] scope2 = oAuthTokenReqMessageContext.getScope();
            if (scope2 != null && scope2.length > 0) {
                StringBuilder sb = new StringBuilder("");
                for (String str6 : scope2) {
                    sb.append(str6);
                    sb.append(org.wso2.carbon.identity.oauth2.device.constants.Constants.SEPARATED_WITH_SPACE);
                }
                oAuth2AccessTokenRespDTO.setAuthorizedScopes(sb.toString().trim());
            }
            setResponse(oAuthTokenReqMessageContext, oAuth2AccessTokenRespDTO);
            if (log.isDebugEnabled()) {
                log.debug("Access token issued to client Id: " + oAuth2AccessTokenReqDTO.getClientId() + " username: " + oAuthTokenReqMessageContext.getAuthorizedUser() + " and scopes: " + oAuth2AccessTokenRespDTO.getAuthorizedScopes());
            }
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                HashMap hashMap9 = new HashMap();
                hashMap9.put("clientId", oAuth2AccessTokenReqDTO.getClientId());
                LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap9, "SUCCESS", "Access token issued for the application.", "issue-access-token", (Map) null);
            }
            if (GrantType.AUTHORIZATION_CODE.toString().equals(grantType)) {
                addUserAttributesAgainstAccessToken(oAuth2AccessTokenReqDTO, oAuth2AccessTokenRespDTO);
            }
            if (oAuthTokenReqMessageContext.getScope() != null && OAuth2Util.isOIDCAuthzRequest(oAuthTokenReqMessageContext.getScope())) {
                if (log.isDebugEnabled()) {
                    log.debug("Issuing ID token for client: " + oAuth2AccessTokenReqDTO.getClientId());
                }
                try {
                    String buildIDToken = OAuthServerConfiguration.getInstance().getOpenIDConnectIDTokenBuilder().buildIDToken(oAuthTokenReqMessageContext, oAuth2AccessTokenRespDTO);
                    if (LoggerUtils.isDiagnosticLogsEnabled()) {
                        HashMap hashMap10 = new HashMap();
                        hashMap10.put("clientId", oAuth2AccessTokenReqDTO.getClientId());
                        LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap10, "SUCCESS", "ID token issued for the application.", "issue-id-token", (Map) null);
                    }
                    oAuth2AccessTokenRespDTO.setIDToken(buildIDToken);
                } catch (IDTokenValidationFailureException e3) {
                    log.error(e3.getMessage());
                    if (LoggerUtils.isDiagnosticLogsEnabled()) {
                        HashMap hashMap11 = new HashMap();
                        hashMap11.put("clientId", oAuth2AccessTokenReqDTO.getClientId());
                        LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap11, "FAILED", "System error occurred.", "issue-id-token", (Map) null);
                    }
                    return handleError("server_error", "Server Error", oAuth2AccessTokenReqDTO);
                }
            }
            if (GrantType.AUTHORIZATION_CODE.toString().equals(grantType)) {
                clearCacheEntryAgainstAuthorizationCode(getAuthorizationCode(oAuth2AccessTokenReqDTO));
            }
            return oAuth2AccessTokenRespDTO;
        } catch (Throwable th) {
            triggerPostListeners(oAuth2AccessTokenReqDTO, oAuth2AccessTokenRespDTO, oAuthTokenReqMessageContext, equals);
            OAuth2Util.clearTokenRequestContext();
            throw th;
        }
    }

    private ServiceProvider getServiceProvider(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) throws IdentityOAuth2Exception {
        try {
            ServiceProvider serviceProviderByClientId = OAuth2ServiceComponentHolder.getApplicationMgtService().getServiceProviderByClientId(oAuth2AccessTokenReqDTO.getClientId(), OAuthApplicationMgtListener.OAUTH2, oAuth2AccessTokenReqDTO.getTenantDomain());
            if (serviceProviderByClientId == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Could not find an application for client id: " + oAuth2AccessTokenReqDTO.getClientId() + ", scope: " + OAuthApplicationMgtListener.OAUTH2 + ", tenant: " + oAuth2AccessTokenReqDTO.getTenantDomain());
                }
                throw new IdentityOAuth2Exception("Service Provider not found");
            }
            if (log.isDebugEnabled()) {
                log.debug("Retrieved service provider: " + serviceProviderByClientId.getApplicationName() + " for client: " + oAuth2AccessTokenReqDTO.getClientId() + ", scope: " + OAuthApplicationMgtListener.OAUTH2 + ", tenant: " + oAuth2AccessTokenReqDTO.getTenantDomain());
            }
            return serviceProviderByClientId;
        } catch (IdentityApplicationManagementException e) {
            throw new IdentityOAuth2Exception("Error occurred while retrieving OAuth2 application data for client id " + oAuth2AccessTokenReqDTO.getClientId(), (Throwable) e);
        }
    }

    private String getSubjectClaim(ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser) throws IdentityOAuth2Exception {
        String formattedSubjectClaim;
        String tenantDomain = authenticatedUser.getTenantDomain();
        String userStoreDomain = authenticatedUser.getUserStoreDomain();
        String subjectClaimUriInLocalDialect = getSubjectClaimUriInLocalDialect(serviceProvider);
        if (StringUtils.isNotBlank(subjectClaimUriInLocalDialect)) {
            try {
                String subjectClaimFromUserStore = getSubjectClaimFromUserStore(subjectClaimUriInLocalDialect, authenticatedUser);
                if (StringUtils.isBlank(subjectClaimFromUserStore)) {
                    subjectClaimFromUserStore = getDefaultSubject(serviceProvider, authenticatedUser);
                    log.warn("Cannot find subject claim: " + subjectClaimUriInLocalDialect + " for user:" + authenticatedUser.getLoggableUserId() + ". Defaulting to username: " + subjectClaimFromUserStore + " as the subject identifier.");
                }
                formattedSubjectClaim = getFormattedSubjectClaim(serviceProvider, subjectClaimFromUserStore, userStoreDomain, tenantDomain);
            } catch (UserStoreException e) {
                throw new IdentityOAuth2Exception("Error occurred while getting subject claim: " + subjectClaimUriInLocalDialect + " for user: " + authenticatedUser.getLoggableUserId(), (Throwable) e);
            } catch (IdentityException e2) {
                throw new IdentityOAuth2Exception("Error occurred while getting user claim for user: " + authenticatedUser.getLoggableUserId() + ", claim: " + subjectClaimUriInLocalDialect, (Throwable) e2);
            }
        } else {
            try {
                formattedSubjectClaim = getFormattedSubjectClaim(serviceProvider, getDefaultSubject(serviceProvider, authenticatedUser), userStoreDomain, tenantDomain);
                if (log.isDebugEnabled()) {
                    log.debug("No subject claim defined for service provider: " + serviceProvider.getApplicationName() + ". Using username as the subject claim.");
                }
            } catch (UserIdNotFoundException e3) {
                throw new IdentityOAuth2Exception("User id not found for user: " + authenticatedUser.getLoggableUserId(), (Throwable) e3);
            }
        }
        return formattedSubjectClaim;
    }

    private String getDefaultSubject(ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser) throws UserIdNotFoundException {
        boolean z = false;
        ServiceProviderProperty[] spProperties = serviceProvider.getSpProperties();
        if (spProperties != null) {
            int length = spProperties.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                ServiceProviderProperty serviceProviderProperty = spProperties[i];
                if ("useUserIdForDefaultSubject".equals(serviceProviderProperty.getName())) {
                    z = Boolean.parseBoolean(serviceProviderProperty.getValue());
                    break;
                }
                i++;
            }
        }
        return z ? authenticatedUser.getUserId() : authenticatedUser.getUserName();
    }

    private String getFormattedSubjectClaim(ServiceProvider serviceProvider, String str, String str2, String str3) {
        boolean isUseUserstoreDomainInLocalSubjectIdentifier = serviceProvider.getLocalAndOutBoundAuthenticationConfig().isUseUserstoreDomainInLocalSubjectIdentifier();
        if (serviceProvider.getLocalAndOutBoundAuthenticationConfig().isUseTenantDomainInLocalSubjectIdentifier()) {
            str = UserCoreUtil.addTenantDomainToEntry(str, str3);
        }
        if (isUseUserstoreDomainInLocalSubjectIdentifier) {
            str = IdentityUtil.addDomainToName(str, str2);
        }
        return str;
    }

    private String getSubjectClaimFromUserStore(String str, AuthenticatedUser authenticatedUser) throws UserStoreException, IdentityException {
        return IdentityTenantUtil.getRealm(authenticatedUser.getTenantDomain(), authenticatedUser.toFullQualifiedUsername()).getUserStoreManager().getUserClaimValueWithID(authenticatedUser.getUserId(), str, (String) null);
    }

    private String getSubjectClaimUriInLocalDialect(ServiceProvider serviceProvider) {
        String subjectClaimUri = serviceProvider.getLocalAndOutBoundAuthenticationConfig().getSubjectClaimUri();
        if (log.isDebugEnabled()) {
            if (StringUtils.isNotBlank(subjectClaimUri)) {
                log.debug(subjectClaimUri + " is defined as subject claim for service provider: " + serviceProvider.getApplicationName());
            } else {
                log.debug("No subject claim defined for service provider: " + serviceProvider.getApplicationName());
            }
        }
        return getSubjectClaimUriInLocalDialect(serviceProvider, subjectClaimUri);
    }

    private String getSubjectClaimUriInLocalDialect(ServiceProvider serviceProvider, String str) {
        ClaimConfig claimConfig;
        if (StringUtils.isNotBlank(str) && (claimConfig = serviceProvider.getClaimConfig()) != null) {
            boolean isLocalClaimDialect = claimConfig.isLocalClaimDialect();
            ClaimMapping[] claimMappings = claimConfig.getClaimMappings();
            if (!isLocalClaimDialect && ArrayUtils.isNotEmpty(claimMappings)) {
                for (ClaimMapping claimMapping : claimMappings) {
                    if (StringUtils.equals(claimMapping.getRemoteClaim().getClaimUri(), str)) {
                        return claimMapping.getLocalClaim().getClaimUri();
                    }
                }
            }
        }
        return str;
    }

    private void addAuthorizedInternalScopes(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, String[] strArr) {
        oAuthTokenReqMessageContext.setScope((String[]) ArrayUtils.addAll(oAuthTokenReqMessageContext.getScope(), strArr));
    }

    private void addAllowedScopes(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, String[] strArr) {
        oAuthTokenReqMessageContext.setScope((String[]) ArrayUtils.addAll(oAuthTokenReqMessageContext.getScope(), strArr));
    }

    private void removeInternalScopes(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        if (oAuthTokenReqMessageContext.getScope() == null) {
            return;
        }
        ArrayList arrayList = new ArrayList();
        for (String str : oAuthTokenReqMessageContext.getScope()) {
            if (!str.startsWith(Oauth2ScopeConstants.INTERNAL_SCOPE_PREFIX) && !str.startsWith(Oauth2ScopeConstants.CONSOLE_SCOPE_PREFIX) && !str.equalsIgnoreCase(Oauth2ScopeConstants.SYSTEM_SCOPE)) {
                arrayList.add(str);
            }
        }
        oAuthTokenReqMessageContext.setScope((String[]) arrayList.toArray(new String[0]));
    }

    private void handleTokenBinding(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, String str, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuthAppDO oAuthAppDO) throws IdentityOAuth2Exception {
        if (StringUtils.isBlank(oAuthAppDO.getTokenBindingType())) {
            oAuthTokenReqMessageContext.setTokenBinding(null);
            return;
        }
        Optional<TokenBinder> tokenBinder = OAuth2ServiceComponentHolder.getInstance().getTokenBinder(oAuthAppDO.getTokenBindingType());
        if (!tokenBinder.isPresent()) {
            throw new IdentityOAuth2Exception("Token binder for the binding type: " + oAuthAppDO.getTokenBindingType() + " is not registered.");
        }
        if (RefreshTokenValidator.TOKEN_TYPE.equals(str)) {
            return;
        }
        oAuthTokenReqMessageContext.setTokenBinding(null);
        TokenBinder tokenBinder2 = tokenBinder.get();
        if (tokenBinder2.getSupportedGrantTypes().contains(str)) {
            Optional<String> tokenBindingValue = tokenBinder2.getTokenBindingValue(oAuth2AccessTokenReqDTO);
            if (!tokenBindingValue.isPresent()) {
                throw new IdentityOAuth2Exception("Token binding reference cannot be retrieved form the token binder: " + tokenBinder2.getBindingType());
            }
            String str2 = tokenBindingValue.get();
            oAuthTokenReqMessageContext.setTokenBinding(new TokenBinding(tokenBinder2.getBindingType(), OAuth2Util.getTokenBindingReference(str2), str2));
        }
    }

    private void triggerPreListeners(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, boolean z) throws IdentityOAuth2Exception {
        OAuthEventInterceptor oAuthEventInterceptorProxy = OAuthComponentServiceHolder.getInstance().getOAuthEventInterceptorProxy();
        if (oAuthEventInterceptorProxy == null || !oAuthEventInterceptorProxy.isEnabled()) {
            return;
        }
        HashMap hashMap = new HashMap();
        if (z) {
            if (log.isDebugEnabled()) {
                log.debug("Triggering refresh token pre renewal listeners for client: " + oAuth2AccessTokenReqDTO.getClientId());
            }
            oAuthEventInterceptorProxy.onPreTokenRenewal(oAuth2AccessTokenReqDTO, oAuthTokenReqMessageContext, hashMap);
        } else {
            if (log.isDebugEnabled()) {
                log.debug("Triggering access token pre issuer listeners for client: " + oAuth2AccessTokenReqDTO.getClientId());
            }
            oAuthEventInterceptorProxy.onPreTokenIssue(oAuth2AccessTokenReqDTO, oAuthTokenReqMessageContext, hashMap);
        }
    }

    private void triggerPostListeners(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, boolean z) {
        OAuthEventInterceptor oAuthEventInterceptorProxy = OAuthComponentServiceHolder.getInstance().getOAuthEventInterceptorProxy();
        if (z) {
            if (oAuthEventInterceptorProxy == null || !oAuthEventInterceptorProxy.isEnabled()) {
                return;
            }
            try {
                if (log.isDebugEnabled()) {
                    log.debug("Triggering refresh token post renewal listeners for client: " + oAuth2AccessTokenReqDTO.getClientId());
                }
                oAuthEventInterceptorProxy.onPostTokenRenewal(oAuth2AccessTokenReqDTO, oAuth2AccessTokenRespDTO, oAuthTokenReqMessageContext, new HashMap());
                return;
            } catch (IdentityOAuth2Exception e) {
                log.error("Oauth post renewal listener failed", e);
                return;
            }
        }
        if (oAuthEventInterceptorProxy == null || !oAuthEventInterceptorProxy.isEnabled()) {
            return;
        }
        try {
            if (log.isDebugEnabled()) {
                log.debug("Triggering access token post issuer listeners for client: " + oAuth2AccessTokenReqDTO.getClientId());
            }
            oAuthEventInterceptorProxy.onPostTokenIssue(oAuth2AccessTokenReqDTO, oAuth2AccessTokenRespDTO, oAuthTokenReqMessageContext, new HashMap());
        } catch (IdentityOAuth2Exception e2) {
            log.error("Oauth post issuer listener failed.", e2);
        }
    }

    private void addUserAttributesAgainstAccessToken(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO) {
        AuthorizationGrantCacheKey authorizationGrantCacheKey = new AuthorizationGrantCacheKey(getAuthorizationCode(oAuth2AccessTokenReqDTO));
        if (authorizationGrantCacheKey.getUserAttributesId() != null) {
            AuthorizationGrantCacheEntry valueFromCacheByCode = AuthorizationGrantCache.getInstance().getValueFromCacheByCode(authorizationGrantCacheKey);
            AuthorizationGrantCacheKey authorizationGrantCacheKey2 = new AuthorizationGrantCacheKey(oAuth2AccessTokenRespDTO.getAccessToken());
            if (valueFromCacheByCode != null) {
                valueFromCacheByCode.setTokenId(oAuth2AccessTokenRespDTO.getTokenId());
                if (log.isDebugEnabled()) {
                    if (IdentityUtil.isTokenLoggable("AccessToken")) {
                        log.debug("Adding AuthorizationGrantCache entry for the access token(hashed):" + DigestUtils.sha256Hex(authorizationGrantCacheKey2.getUserAttributesId()));
                    } else {
                        log.debug("Adding AuthorizationGrantCache entry for the access token");
                    }
                }
                valueFromCacheByCode.setValidityPeriod(TimeUnit.MILLISECONDS.toNanos(oAuth2AccessTokenRespDTO.getExpiresInMillis()));
                AuthorizationGrantCache.getInstance().addToCacheByToken(authorizationGrantCacheKey2, valueFromCacheByCode);
            }
        }
    }

    private void clearCacheEntryAgainstAuthorizationCode(String str) {
        AuthorizationGrantCacheKey authorizationGrantCacheKey = new AuthorizationGrantCacheKey(str);
        if (authorizationGrantCacheKey.getUserAttributesId() != null) {
            AuthorizationGrantCache.getInstance().clearCacheEntryByCode(authorizationGrantCacheKey);
        }
    }

    private String getAuthorizationCode(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) {
        return oAuth2AccessTokenReqDTO.getAuthorizationCode();
    }

    private OAuth2AccessTokenRespDTO handleError(String str, String str2, OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) {
        if (log.isDebugEnabled()) {
            log.debug("OAuth-Error-Code=" + str + " client-id=" + oAuth2AccessTokenReqDTO.getClientId() + " grant-type=" + oAuth2AccessTokenReqDTO.getGrantType() + " scope=" + OAuth2Util.buildScopeString(oAuth2AccessTokenReqDTO.getScope()));
        }
        OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO = new OAuth2AccessTokenRespDTO();
        oAuth2AccessTokenRespDTO.setError(true);
        oAuth2AccessTokenRespDTO.setErrorCode(str);
        oAuth2AccessTokenRespDTO.setErrorMsg(str2);
        return oAuth2AccessTokenRespDTO;
    }

    private void setResponseHeaders(OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO, ResponseHeader[] responseHeaderArr) {
        oAuth2AccessTokenRespDTO.setResponseHeaders(responseHeaderArr);
    }

    private void setCustomErrorParameters(OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO, Map<String, Object> map) {
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            oAuth2AccessTokenRespDTO.addErrorParameter(entry.getKey(), entry.getValue());
        }
    }

    private void setResponse(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO) {
        if (oAuthTokenReqMessageContext.getProperty("RESPONSE_HEADERS") != null) {
            setResponseHeaders(oAuth2AccessTokenRespDTO, (ResponseHeader[]) oAuthTokenReqMessageContext.getProperty("RESPONSE_HEADERS"));
        }
        if (MapUtils.isNotEmpty(oAuthTokenReqMessageContext.getErrorParameterMap())) {
            setCustomErrorParameters(oAuth2AccessTokenRespDTO, oAuthTokenReqMessageContext.getErrorParameterMap());
        }
    }

    private OAuthAppDO getOAuthApplication(String str) throws InvalidOAuthClientException, IdentityOAuth2Exception {
        OAuthAppDO appInformationByClientId = OAuth2Util.getAppInformationByClientId(str);
        String state = appInformationByClientId.getState();
        if (StringUtils.isEmpty(state)) {
            if (log.isDebugEnabled()) {
                log.debug("A valid OAuth client could not be found for client_id: " + str);
            }
            throw new InvalidOAuthClientException("A valid OAuth client could not be found for client_id: " + Encode.forHtml(str));
        }
        if (isNotActiveState(state)) {
            if (log.isDebugEnabled()) {
                log.debug("App is not in active state in client ID: " + str + ". App state is:" + state);
            }
            throw new InvalidOAuthClientException("Oauth application is not in active state");
        }
        if (log.isDebugEnabled()) {
            log.debug("Oauth App validation success for consumer key: " + str);
        }
        return appInformationByClientId;
    }

    private static boolean isNotActiveState(String str) {
        return !"ACTIVE".equalsIgnoreCase(str);
    }
}
