package org.wso2.carbon.identity.openidconnect;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.authentication.framework.AuthenticationMethodNameTranslator;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth2.IDTokenValidationFailureException;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AuthorizeReqDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AuthorizeRespDTO;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.AccessTokenExtendedAttributes;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.validators.RefreshTokenValidator;
import org.wso2.carbon.identity.openidconnect.internal.OpenIDConnectServiceComponentHolder;
import org.wso2.carbon.identity.openidconnect.model.Constants;

/* loaded from: input_file:org/wso2/carbon/identity/openidconnect/DefaultIDTokenBuilder.class */
public class DefaultIDTokenBuilder implements IDTokenBuilder {
    private static final String AUTHORIZATION_CODE = "AuthorizationCode";
    private static final String INBOUND_AUTH2_TYPE = "oauth2";
    private static final Log log = LogFactory.getLog(DefaultIDTokenBuilder.class);
    private JWSAlgorithm signatureAlgorithm = OAuth2Util.mapSignatureAlgorithmForJWSAlgorithm(OAuthServerConfiguration.getInstance().getIdTokenSignatureAlgorithm());
    private JWEAlgorithm encryptionAlgorithm;
    private EncryptionMethod encryptionMethod;

    private void setupEncryptionAlgorithms(OAuthAppDO oAuthAppDO, String str) throws IdentityOAuth2Exception {
        this.encryptionAlgorithm = OAuth2Util.mapEncryptionAlgorithmForJWEAlgorithm(oAuthAppDO.getIdTokenEncryptionAlgorithm());
        this.encryptionMethod = OAuth2Util.mapEncryptionMethodForJWEAlgorithm(oAuthAppDO.getIdTokenEncryptionMethod());
        if (log.isDebugEnabled()) {
            log.debug("Id token encryption is enabled using encryption algorithm: " + this.encryptionAlgorithm + " and encryption method: " + this.encryptionMethod + ", for client: " + str);
        }
    }

    @Override // org.wso2.carbon.identity.openidconnect.IDTokenBuilder
    public String buildIDToken(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO) throws IdentityOAuth2Exception {
        AuthorizationGrantCacheEntry authorizationGrantCacheEntryFromToken;
        String clientId = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId();
        String spTenantDomain = getSpTenantDomain(oAuthTokenReqMessageContext);
        String idTokenIssuer = OAuth2Util.getIdTokenIssuer(spTenantDomain, clientId, OAuth2Util.isMtlsRequest(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getHttpServletRequestWrapper().getRequestURL().toString()));
        String accessToken = oAuth2AccessTokenRespDTO.getAccessToken();
        JWSAlgorithm jWSAlgorithm = this.signatureAlgorithm;
        try {
            OAuthAppDO appInformationByClientId = OAuth2Util.getAppInformationByClientId(clientId);
            if (StringUtils.isNotEmpty(appInformationByClientId.getIdTokenSignatureAlgorithm())) {
                jWSAlgorithm = OAuth2Util.mapSignatureAlgorithmForJWSAlgorithm(appInformationByClientId.getIdTokenSignatureAlgorithm());
            }
            long iDTokenExpiryInMillis = getIDTokenExpiryInMillis(appInformationByClientId);
            long timeInMillis = Calendar.getInstance().getTimeInMillis();
            AuthenticatedUser authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
            String subjectClaim = OIDCClaimUtil.getSubjectClaim(getSubjectClaim(oAuthTokenReqMessageContext, oAuth2AccessTokenRespDTO, clientId, spTenantDomain, authorizedUser), appInformationByClientId);
            String str = null;
            String str2 = null;
            String str3 = null;
            List<String> emptyList = Collections.emptyList();
            if (getAuthorizationCode(oAuthTokenReqMessageContext) != null) {
                AuthorizationGrantCacheEntry authorizationGrantCacheEntryFromCode = getAuthorizationGrantCacheEntryFromCode(getAuthorizationCode(oAuthTokenReqMessageContext));
                if (authorizationGrantCacheEntryFromCode != null) {
                    str = authorizationGrantCacheEntryFromCode.getNonceValue();
                    str3 = authorizationGrantCacheEntryFromCode.getSelectedAcrValue();
                    r28 = isAuthTimeRequired(authorizationGrantCacheEntryFromCode) ? authorizationGrantCacheEntryFromCode.getAuthTime() : 0L;
                    emptyList = authorizationGrantCacheEntryFromCode.getAmrList();
                    str2 = getIdpSessionKey(authorizationGrantCacheEntryFromCode);
                }
            } else {
                emptyList = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getAuthenticationMethodReferences();
                if (RefreshTokenValidator.TOKEN_TYPE.equalsIgnoreCase(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType()) && (authorizationGrantCacheEntryFromToken = getAuthorizationGrantCacheEntryFromToken(oAuth2AccessTokenRespDTO.getAccessToken())) != null && isAuthTimeRequired(authorizationGrantCacheEntryFromToken)) {
                    r28 = authorizationGrantCacheEntryFromToken.getAuthTime();
                }
                if (!"password".equalsIgnoreCase(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType())) {
                    str2 = getIdpSessionKey(accessToken);
                }
            }
            if (log.isDebugEnabled()) {
                log.debug(buildDebugMessage(idTokenIssuer, subjectClaim, str, iDTokenExpiryInMillis, timeInMillis));
            }
            List<String> oIDCAudience = OAuth2Util.getOIDCAudience(clientId, appInformationByClientId);
            JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
            builder.jwtID(UUID.randomUUID().toString());
            builder.issuer(idTokenIssuer);
            builder.audience(oIDCAudience);
            builder.claim("azp", clientId);
            builder.expirationTime(getIdTokenExpiryInMillis(iDTokenExpiryInMillis, timeInMillis));
            builder.issueTime(new Date(timeInMillis));
            builder.notBeforeTime(new Date(timeInMillis));
            if (r28 != 0) {
                builder.claim(Constants.AUTH_TIME, Long.valueOf(r28 / 1000));
            }
            if (str != null) {
                builder.claim("nonce", str);
            }
            if (StringUtils.isNotEmpty(str3)) {
                builder.claim("acr", str3);
            }
            if (emptyList != null) {
                builder.claim("amr", translateAmrToResponse(emptyList));
            }
            if (str2 != null) {
                builder.claim("isk", str2);
            }
            AccessTokenExtendedAttributes accessTokenExtendedAttributes = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getAccessTokenExtendedAttributes();
            if (accessTokenExtendedAttributes != null && accessTokenExtendedAttributes.getParameters() != null) {
                for (Map.Entry<String, String> entry : accessTokenExtendedAttributes.getParameters().entrySet()) {
                    builder.claim(entry.getKey(), entry.getValue());
                }
            }
            setUserRealm(authorizedUser, builder);
            setAdditionalClaims(oAuthTokenReqMessageContext, oAuth2AccessTokenRespDTO, builder);
            oAuthTokenReqMessageContext.addProperty("accessToken", accessToken);
            oAuthTokenReqMessageContext.addProperty("tenantDomain", getSpTenantDomain(oAuthTokenReqMessageContext));
            if (oAuth2AccessTokenRespDTO.getIsConsentedToken()) {
                oAuthTokenReqMessageContext.setConsentedToken(oAuth2AccessTokenRespDTO.getIsConsentedToken());
            }
            builder.subject(subjectClaim);
            JWTClaimsSet handleOIDCCustomClaims = handleOIDCCustomClaims(oAuthTokenReqMessageContext, builder);
            if (isInvalidToken(handleOIDCCustomClaims)) {
                throw new IDTokenValidationFailureException("Error while validating ID Token token for required claims");
            }
            return isUnsignedIDToken() ? new PlainJWT(handleOIDCCustomClaims).serialize() : getIDToken(clientId, spTenantDomain, handleOIDCCustomClaims, appInformationByClientId, getSigningTenantDomain(oAuthTokenReqMessageContext), jWSAlgorithm);
        } catch (InvalidOAuthClientException e) {
            throw new IdentityOAuth2Exception("Error occurred while getting app information for client_id: " + clientId, (Throwable) e);
        }
    }

    @Override // org.wso2.carbon.identity.openidconnect.IDTokenBuilder
    public String buildIDToken(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO) throws IdentityOAuth2Exception {
        String accessToken = oAuth2AuthorizeRespDTO.getAccessToken();
        String consumerKey = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey();
        String spTenantDomain = getSpTenantDomain(oAuthAuthzReqMessageContext);
        Object property = oAuthAuthzReqMessageContext.getProperty("isMtlsRequest");
        String idTokenIssuer = OAuth2Util.getIdTokenIssuer(spTenantDomain, property != null && Boolean.parseBoolean(property.toString()));
        JWSAlgorithm jWSAlgorithm = this.signatureAlgorithm;
        try {
            OAuthAppDO appInformationByClientId = OAuth2Util.getAppInformationByClientId(consumerKey);
            if (StringUtils.isNotEmpty(appInformationByClientId.getIdTokenSignatureAlgorithm())) {
                jWSAlgorithm = OAuth2Util.mapSignatureAlgorithmForJWSAlgorithm(appInformationByClientId.getIdTokenSignatureAlgorithm());
            }
            AuthenticatedUser user = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser();
            String subjectClaim = OIDCClaimUtil.getSubjectClaim(getSubjectClaim(oAuthAuthzReqMessageContext, oAuth2AuthorizeRespDTO, consumerKey, spTenantDomain, user), appInformationByClientId);
            String nonce = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getNonce();
            String selectedAcr = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getSelectedAcr();
            List<String> emptyList = Collections.emptyList();
            String idpSessionKey = getIdpSessionKey(oAuthAuthzReqMessageContext);
            String[] strArr = (String[]) oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getProperty("amr");
            if (ArrayUtils.isNotEmpty(strArr)) {
                emptyList = Arrays.asList(strArr);
            }
            long iDTokenExpiryInMillis = getIDTokenExpiryInMillis(appInformationByClientId);
            long timeInMillis = Calendar.getInstance().getTimeInMillis();
            if (log.isDebugEnabled()) {
                log.debug(buildDebugMessage(idTokenIssuer, subjectClaim, nonce, iDTokenExpiryInMillis, timeInMillis));
            }
            JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
            builder.jwtID(UUID.randomUUID().toString());
            builder.issuer(idTokenIssuer);
            builder.audience(OAuth2Util.getOIDCAudience(consumerKey, appInformationByClientId));
            builder.claim("azp", consumerKey);
            builder.expirationTime(getIdTokenExpiryInMillis(iDTokenExpiryInMillis, timeInMillis));
            builder.issueTime(new Date(timeInMillis));
            long authTime = getAuthTime(oAuthAuthzReqMessageContext);
            if (authTime != 0) {
                builder.claim(Constants.AUTH_TIME, Long.valueOf(authTime / 1000));
            }
            if (nonce != null) {
                builder.claim("nonce", nonce);
            }
            if (StringUtils.isNotEmpty(selectedAcr)) {
                builder.claim("acr", selectedAcr);
            }
            if (emptyList != null) {
                builder.claim("amr", translateAmrToResponse(emptyList));
            }
            if (idpSessionKey != null) {
                builder.claim("isk", idpSessionKey);
            }
            setUserRealm(user, builder);
            setAdditionalClaims(oAuthAuthzReqMessageContext, oAuth2AuthorizeRespDTO, builder);
            if (StringUtils.isNotBlank(accessToken)) {
                oAuthAuthzReqMessageContext.addProperty("accessToken", accessToken);
            }
            oAuthAuthzReqMessageContext.addProperty("tenantDomain", getSpTenantDomain(oAuthAuthzReqMessageContext));
            builder.subject(subjectClaim);
            JWTClaimsSet handleCustomOIDCClaims = handleCustomOIDCClaims(oAuthAuthzReqMessageContext, builder);
            return isUnsignedIDToken() ? new PlainJWT(handleCustomOIDCClaims).serialize() : getIDToken(consumerKey, spTenantDomain, handleCustomOIDCClaims, appInformationByClientId, getSigningTenantDomain(oAuthAuthzReqMessageContext), jWSAlgorithm);
        } catch (InvalidOAuthClientException e) {
            throw new IdentityOAuth2Exception("Error occurred while getting app information for client_id: " + consumerKey, (Throwable) e);
        }
    }

    private String getIDToken(String str, String str2, JWTClaimsSet jWTClaimsSet, OAuthAppDO oAuthAppDO, String str3, JWSAlgorithm jWSAlgorithm) throws IdentityOAuth2Exception {
        if (!oAuthAppDO.isIdTokenEncryptionEnabled()) {
            return OAuth2Util.signJWT(jWTClaimsSet, jWSAlgorithm, str3).serialize();
        }
        checkIfPublicCertConfiguredForEncryption(str, str2);
        setupEncryptionAlgorithms(oAuthAppDO, str);
        return OAuth2Util.encryptJWT(jWTClaimsSet, jWSAlgorithm, str3, this.encryptionAlgorithm, this.encryptionMethod, str2, str).serialize();
    }

    protected String getSubjectClaim(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO, String str, String str2, AuthenticatedUser authenticatedUser) throws IdentityOAuth2Exception {
        return authenticatedUser.getAuthenticatedSubjectIdentifier();
    }

    protected String getSubjectClaim(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO, String str, String str2, AuthenticatedUser authenticatedUser) throws IdentityOAuth2Exception {
        return authenticatedUser.getAuthenticatedSubjectIdentifier();
    }

    private String buildDebugMessage(String str, String str2, String str3, long j, long j2) {
        return "Using issuer " + str + "\nSubject " + str2 + "\nID Token life time " + (j / 1000) + "\nCurrent time " + (j2 / 1000) + "\nNonce Value " + str3 + "\nSignature Algorithm " + this.signatureAlgorithm + "\n";
    }

    private boolean isInvalidToken(JWTClaimsSet jWTClaimsSet) {
        return !isValidIdToken(jWTClaimsSet);
    }

    private boolean isEssentialClaim(AuthorizationGrantCacheEntry authorizationGrantCacheEntry, String str) {
        return isEssentialClaim(authorizationGrantCacheEntry.getEssentialClaims(), str);
    }

    private boolean isEssentialClaim(String str, String str2) {
        return StringUtils.isNotBlank(str) && OAuth2Util.getEssentialClaims(str, OIDCConstants.ID_TOKEN).contains(str2);
    }

    private boolean isMaxAgePresentInAuthzRequest(AuthorizationGrantCacheEntry authorizationGrantCacheEntry) {
        return authorizationGrantCacheEntry.getMaxAge() != 0;
    }

    private boolean isUnsignedIDToken() {
        return JWSAlgorithm.NONE.getName().equals(this.signatureAlgorithm.getName());
    }

    private String getAuthorizationCode(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        return (String) oAuthTokenReqMessageContext.getProperty(AUTHORIZATION_CODE);
    }

    private String getSpTenantDomain(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        return oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
    }

    private JWTClaimsSet handleOIDCCustomClaims(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, JWTClaimsSet.Builder builder) throws IdentityOAuth2Exception {
        return OAuthServerConfiguration.getInstance().getOpenIDConnectCustomClaimsCallbackHandler().handleCustomClaims(builder, oAuthTokenReqMessageContext);
    }

    private String getSigningTenantDomain(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        return OAuthServerConfiguration.getInstance().isJWTSignedWithSPKey() ? (String) oAuthTokenReqMessageContext.getProperty("tenantDomain") : oAuthTokenReqMessageContext.getAuthorizedUser().getTenantDomain();
    }

    private long getAuthTime(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        long j = 0;
        if (isAuthTimeRequired(oAuthAuthzReqMessageContext.getAuthorizationReqDTO())) {
            j = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getAuthTime();
        }
        return j;
    }

    private boolean isAuthTimeRequired(AuthorizationGrantCacheEntry authorizationGrantCacheEntry) {
        return isMaxAgePresentInAuthzRequest(authorizationGrantCacheEntry) || isEssentialClaim(authorizationGrantCacheEntry, Constants.AUTH_TIME);
    }

    private boolean isAuthTimeRequired(OAuth2AuthorizeReqDTO oAuth2AuthorizeReqDTO) {
        return oAuth2AuthorizeReqDTO.getMaxAge() != 0 || isEssentialClaim(oAuth2AuthorizeReqDTO.getEssentialClaims(), Constants.AUTH_TIME);
    }

    private Date getIdTokenExpiryInMillis(long j, long j2) {
        return new Date(j + j2);
    }

    private JWTClaimsSet handleCustomOIDCClaims(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, JWTClaimsSet.Builder builder) throws IdentityOAuth2Exception {
        return OAuthServerConfiguration.getInstance().getOpenIDConnectCustomClaimsCallbackHandler().handleCustomClaims(builder, oAuthAuthzReqMessageContext);
    }

    private String getSpTenantDomain(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        return oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getTenantDomain();
    }

    private String getSigningTenantDomain(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        return OAuthServerConfiguration.getInstance().isJWTSignedWithSPKey() ? (String) oAuthAuthzReqMessageContext.getProperty("tenantDomain") : oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser().getTenantDomain();
    }

    @Deprecated
    protected String signJWTWithRSA(JWTClaimsSet jWTClaimsSet, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        return OAuth2Util.signJWTWithRSA(jWTClaimsSet, this.signatureAlgorithm, getSigningTenantDomain(oAuthTokenReqMessageContext)).serialize();
    }

    @Deprecated
    protected String signJWTWithRSA(JWTClaimsSet jWTClaimsSet, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        return OAuth2Util.signJWTWithRSA(jWTClaimsSet, this.signatureAlgorithm, getSigningTenantDomain(oAuthAuthzReqMessageContext)).serialize();
    }

    private AuthorizationGrantCacheEntry getAuthorizationGrantCacheEntryFromCode(String str) {
        return AuthorizationGrantCache.getInstance().getValueFromCacheByCode(new AuthorizationGrantCacheKey(str));
    }

    private AuthorizationGrantCacheEntry getAuthorizationGrantCacheEntryFromToken(String str) {
        return AuthorizationGrantCache.getInstance().getValueFromCacheByToken(new AuthorizationGrantCacheKey(str));
    }

    @Deprecated
    protected String signJWT(JWTClaimsSet jWTClaimsSet, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        return isRSA(this.signatureAlgorithm) ? signJWTWithRSA(jWTClaimsSet, oAuthTokenReqMessageContext) : isHMAC(this.signatureAlgorithm) ? null : null;
    }

    private boolean isRSA(JWSAlgorithm jWSAlgorithm) {
        return JWSAlgorithm.RS256.equals(jWSAlgorithm) || JWSAlgorithm.RS384.equals(jWSAlgorithm) || JWSAlgorithm.RS512.equals(jWSAlgorithm);
    }

    @Deprecated
    protected String signJWT(JWTClaimsSet jWTClaimsSet, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        return isRSA(this.signatureAlgorithm) ? signJWTWithRSA(jWTClaimsSet, oAuthAuthzReqMessageContext) : isHMAC(this.signatureAlgorithm) ? null : null;
    }

    private boolean isHMAC(JWSAlgorithm jWSAlgorithm) {
        return JWSAlgorithm.HS256.equals(jWSAlgorithm) || JWSAlgorithm.HS384.equals(jWSAlgorithm) || JWSAlgorithm.HS512.equals(jWSAlgorithm);
    }

    @Deprecated
    protected JWSAlgorithm mapSignatureAlgorithm(String str) throws IdentityOAuth2Exception {
        return OAuth2Util.mapSignatureAlgorithmForJWSAlgorithm(str);
    }

    @Deprecated
    protected String mapDigestAlgorithm(Algorithm algorithm) throws IdentityOAuth2Exception {
        return OAuth2Util.mapDigestAlgorithm(algorithm);
    }

    private boolean isValidIdToken(JWTClaimsSet jWTClaimsSet) {
        if (StringUtils.isBlank(jWTClaimsSet.getIssuer())) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("ID token does not have required issuer claim");
            return false;
        }
        if (StringUtils.isBlank(jWTClaimsSet.getSubject())) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("ID token does not have required subject claim");
            return false;
        }
        if (jWTClaimsSet.getAudience() == null) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("ID token does not have required audience claim");
            return false;
        }
        if (jWTClaimsSet.getExpirationTime() == null) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("ID token does not have required expiration time claim");
            return false;
        }
        if (jWTClaimsSet.getIssueTime() != null) {
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("ID token does not have required issued time claim");
        return false;
    }

    private long getIDTokenExpiryInMillis(OAuthAppDO oAuthAppDO) {
        return oAuthAppDO.getIdTokenExpiryTime() * 1000;
    }

    private void setAdditionalClaims(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO, JWTClaimsSet.Builder builder) throws IdentityOAuth2Exception {
        List<ClaimProvider> claimProviders = getClaimProviders();
        if (CollectionUtils.isNotEmpty(claimProviders)) {
            Iterator<ClaimProvider> it = claimProviders.iterator();
            while (it.hasNext()) {
                setAdditionalClaimSet(builder, it.next().getAdditionalClaims(oAuthTokenReqMessageContext, oAuth2AccessTokenRespDTO));
            }
        }
    }

    private void setAdditionalClaims(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO, JWTClaimsSet.Builder builder) throws IdentityOAuth2Exception {
        List<ClaimProvider> claimProviders = getClaimProviders();
        if (CollectionUtils.isNotEmpty(claimProviders)) {
            Iterator<ClaimProvider> it = claimProviders.iterator();
            while (it.hasNext()) {
                setAdditionalClaimSet(builder, it.next().getAdditionalClaims(oAuthAuthzReqMessageContext, oAuth2AuthorizeRespDTO));
            }
        }
    }

    private List<ClaimProvider> getClaimProviders() {
        return OpenIDConnectServiceComponentHolder.getInstance().getClaimProviders();
    }

    private void setAdditionalClaimSet(JWTClaimsSet.Builder builder, Map<String, Object> map) {
        if (MapUtils.isNotEmpty(map)) {
            for (Map.Entry<String, Object> entry : map.entrySet()) {
                builder.claim(entry.getKey(), entry.getValue());
            }
            if (log.isDebugEnabled()) {
                for (Map.Entry<String, Object> entry2 : map.entrySet()) {
                    log.debug("Additional claim added to JWTClaimSet, key: " + entry2.getKey() + ", value: " + entry2.getValue());
                }
            }
        }
    }

    private List<String> translateAmrToResponse(List<String> list) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            List<String> translateToResponse = translateToResponse(it.next());
            if (!translateToResponse.isEmpty()) {
                linkedHashSet.addAll(translateToResponse);
            }
        }
        return new ArrayList(linkedHashSet);
    }

    private List<String> translateToResponse(String str) {
        List<String> list = Collections.EMPTY_LIST;
        AuthenticationMethodNameTranslator authenticationMethodNameTranslator = OAuth2ServiceComponentHolder.getAuthenticationMethodNameTranslator();
        if (authenticationMethodNameTranslator != null) {
            Set translateToExternalAmr = authenticationMethodNameTranslator.translateToExternalAmr(str, "oauth2");
            if (translateToExternalAmr == null || translateToExternalAmr.isEmpty()) {
                if (log.isDebugEnabled()) {
                    log.debug("There was no mapping found to translate AMR from internal to external URI. Internal Method Reference : " + str);
                }
                list = new ArrayList();
                list.add(str);
            } else {
                if (translateToExternalAmr.contains(String.valueOf((char) 0))) {
                    return Collections.emptyList();
                }
                list = new ArrayList(translateToExternalAmr);
            }
        }
        return list;
    }

    private void setUserRealm(AuthenticatedUser authenticatedUser, JWTClaimsSet.Builder builder) {
        String tenantDomain = authenticatedUser.getTenantDomain();
        String userStoreDomain = authenticatedUser.getUserStoreDomain();
        HashMap hashMap = new HashMap();
        if (OAuthServerConfiguration.getInstance().isAddTenantDomainToIdTokenEnabled() && StringUtils.isNotBlank(tenantDomain)) {
            hashMap.put("tenant", tenantDomain);
        }
        if (OAuthServerConfiguration.getInstance().isAddUserstoreDomainToIdTokenEnabled() && StringUtils.isNotBlank(userStoreDomain)) {
            hashMap.put("userstore", userStoreDomain);
        }
        if (hashMap.size() > 0) {
            if (log.isDebugEnabled()) {
                log.debug("Setting authorized user tenant domain : " + tenantDomain + " and userstore domain : " + userStoreDomain + " to the 'realm' claim of id_token for the user : " + authenticatedUser.getLoggableUserId());
            }
            builder.claim("realm", hashMap);
        }
    }

    private String getIdpSessionKey(AuthorizationGrantCacheEntry authorizationGrantCacheEntry) throws IdentityOAuth2Exception {
        String sessionContextIdentifier = authorizationGrantCacheEntry.getSessionContextIdentifier();
        if (sessionContextIdentifier == null) {
            throw new IdentityOAuth2Exception("Session context identifier not available in the Authorization Grant cache. Session identifier is a required claim to be included in the id_token when the Session Extender endpoint is enabled.");
        }
        return sessionContextIdentifier;
    }

    private String getIdpSessionKey(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        String idpSessionIdentifier = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getIdpSessionIdentifier();
        if (idpSessionIdentifier == null) {
            throw new IdentityOAuth2Exception("Session context identifier not available in the Authorization Request Message context. Session identifier is a required claim to be included in the id_token when the Session Extender endpoint is enabled.");
        }
        return idpSessionIdentifier;
    }

    private String getIdpSessionKey(String str) {
        String str2 = null;
        AuthorizationGrantCacheEntry authorizationGrantCacheEntryFromToken = getAuthorizationGrantCacheEntryFromToken(str);
        if (authorizationGrantCacheEntryFromToken != null) {
            str2 = authorizationGrantCacheEntryFromToken.getSessionContextIdentifier();
        }
        if (str2 == null && log.isDebugEnabled()) {
            log.debug("Session context identifier not available when retrieving using the access token.");
        }
        return str2;
    }

    private void checkIfPublicCertConfiguredForEncryption(String str, String str2) throws IdentityOAuth2Exception {
        try {
            if (StringUtils.isBlank(OAuth2Util.getSPJwksUrl(str, str2))) {
                if (log.isDebugEnabled()) {
                    log.debug(String.format("Jwks uri is not configured for the service provider associated with client_id: %s , Checking for x509 certificate.", str));
                }
                OAuth2Util.getX509CertOfOAuthApp(str, str2);
            }
        } catch (IdentityOAuth2Exception e) {
            throw new IdentityOAuth2Exception("Cannot encrypt the ID token as the service Provider with client_id: " + str + " of tenantDomain: " + str2 + " does not have a public certificate or a JWKS endpoint configured.", (Throwable) e);
        }
    }
}
