package org.wso2.carbon.identity.openidconnect;

import com.nimbusds.jwt.JWTClaimsSet;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import net.minidev.json.JSONArray;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.claim.metadata.mgt.ClaimMetadataHandler;
import org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
import org.wso2.carbon.identity.oauth2.device.cache.DeviceAuthorizationGrantCache;
import org.wso2.carbon.identity.oauth2.device.cache.DeviceAuthorizationGrantCacheEntry;
import org.wso2.carbon.identity.oauth2.device.cache.DeviceAuthorizationGrantCacheKey;
import org.wso2.carbon.identity.oauth2.device.constants.Constants;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AuthorizeReqDTO;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.RefreshTokenValidationDataDO;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.OauthTokenIssuer;
import org.wso2.carbon.identity.oauth2.util.AuthzUtil;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.internal.OpenIDConnectServiceComponentHolder;
import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/openidconnect/JWTAccessTokenOIDCClaimsHandler.class */
public class JWTAccessTokenOIDCClaimsHandler implements CustomClaimsCallbackHandler {
    private static final Log log = LogFactory.getLog(JWTAccessTokenOIDCClaimsHandler.class);
    private static final String OAUTH2 = "oauth2";
    private static final String OIDC_DIALECT = "http://wso2.org/oidc/claim";

    @Override // org.wso2.carbon.identity.openidconnect.CustomClaimsCallbackHandler
    public JWTClaimsSet handleCustomClaims(JWTClaimsSet.Builder builder, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        return setClaimsToJwtClaimSet(builder, getUserClaimsInOIDCDialect(oAuthTokenReqMessageContext));
    }

    @Override // org.wso2.carbon.identity.openidconnect.CustomClaimsCallbackHandler
    public JWTClaimsSet handleCustomClaims(JWTClaimsSet.Builder builder, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        return setClaimsToJwtClaimSet(builder, getUserClaimsInOIDCDialect(oAuthAuthzReqMessageContext));
    }

    private Map<String, Object> getUserClaimsInOIDCDialect(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        Map<String, Object> retrieveClaimsForLocalUser;
        Map<ClaimMapping, String> cachedUserAttributes = getCachedUserAttributes(oAuthTokenReqMessageContext, false);
        if ((cachedUserAttributes.isEmpty() || isOrganizationSwitchGrantType(oAuthTokenReqMessageContext)) && (isLocalUser(oAuthTokenReqMessageContext.getAuthorizedUser()) || isOrganizationSsoUserSwitchingOrganization(oAuthTokenReqMessageContext.getAuthorizedUser()))) {
            if (log.isDebugEnabled()) {
                log.debug("User attributes not found in cache against the access token or authorization code. Retrieving claims for local user: " + oAuthTokenReqMessageContext.getAuthorizedUser() + " from userstore.");
            }
            if (!StringUtils.equals(oAuthTokenReqMessageContext.getAuthorizedUser().getUserResidentOrganization(), oAuthTokenReqMessageContext.getAuthorizedUser().getAccessingOrganization()) && !CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME.booleanValue() && StringUtils.isNotEmpty(AuthzUtil.getUserIdOfAssociatedUser(oAuthTokenReqMessageContext.getAuthorizedUser()))) {
                oAuthTokenReqMessageContext.getAuthorizedUser().setSharedUserId(AuthzUtil.getUserIdOfAssociatedUser(oAuthTokenReqMessageContext.getAuthorizedUser()));
                oAuthTokenReqMessageContext.getAuthorizedUser().setUserSharedOrganizationId(oAuthTokenReqMessageContext.getAuthorizedUser().getAccessingOrganization());
            }
            retrieveClaimsForLocalUser = retrieveClaimsForLocalUser(oAuthTokenReqMessageContext);
        } else {
            retrieveClaimsForLocalUser = getOIDCClaimsFromUserAttributes(cachedUserAttributes, oAuthTokenReqMessageContext);
            retrieveClaimsForLocalUser.putAll(getOIDCClaimsFromFederatedUserAttributes(getCachedUserAttributes(oAuthTokenReqMessageContext, true), oAuthTokenReqMessageContext));
        }
        Object property = oAuthTokenReqMessageContext.getProperty(OIDCConstants.HAS_NON_OIDC_CLAIMS);
        return (isPreserverClaimUrisInAssertion(oAuthTokenReqMessageContext) || (property != null && ((Boolean) property).booleanValue())) ? retrieveClaimsForLocalUser : filterClaims(retrieveClaimsForLocalUser, oAuthTokenReqMessageContext);
    }

    private Map<String, Object> filterClaims(Map<String, Object> map, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        String serviceProviderTenantDomain = getServiceProviderTenantDomain(oAuthTokenReqMessageContext);
        String clientId = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId();
        List<String> accessTokenClaims = getAccessTokenClaims(clientId, serviceProviderTenantDomain);
        if (accessTokenClaims.isEmpty()) {
            return new HashMap();
        }
        Stream<String> stream = accessTokenClaims.stream();
        Objects.requireNonNull(map);
        Stream<String> filter = stream.filter((v1) -> {
            return r1.containsKey(v1);
        });
        Function function = str -> {
            return str;
        };
        Objects.requireNonNull(map);
        return handleClaimsFormat((Map) filter.collect(Collectors.toMap(function, (v1) -> {
            return r2.get(v1);
        })), clientId, serviceProviderTenantDomain);
    }

    private Map<String, Object> filterClaims(Map<String, Object> map, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        String serviceProviderTenantDomain = getServiceProviderTenantDomain(oAuthAuthzReqMessageContext);
        String consumerKey = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey();
        List<String> accessTokenClaims = getAccessTokenClaims(consumerKey, serviceProviderTenantDomain);
        if (accessTokenClaims.isEmpty()) {
            return new HashMap();
        }
        Stream<String> stream = accessTokenClaims.stream();
        Objects.requireNonNull(map);
        Stream<String> filter = stream.filter((v1) -> {
            return r1.containsKey(v1);
        });
        Function function = str -> {
            return str;
        };
        Objects.requireNonNull(map);
        return handleClaimsFormat((Map) filter.collect(Collectors.toMap(function, (v1) -> {
            return r2.get(v1);
        })), consumerKey, serviceProviderTenantDomain);
    }

    private Map<String, Object> retrieveClaimsForLocalUser(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        try {
            return getLocalUserClaimsInOIDCDialect(getServiceProviderTenantDomain(oAuthTokenReqMessageContext), oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), oAuthTokenReqMessageContext.getAuthorizedUser());
        } catch (UserStoreException | IdentityApplicationManagementException | IdentityException | OrganizationManagementException e) {
            if (!FrameworkUtils.isContinueOnClaimHandlingErrorAllowed()) {
                throw new IdentityOAuth2Exception("Error occurred while getting claims for user: " + oAuthTokenReqMessageContext.getAuthorizedUser() + " from userstore.", e);
            }
            log.error("Error occurred while getting claims for user: " + oAuthTokenReqMessageContext.getAuthorizedUser() + " from userstore.", e);
            return new HashMap();
        }
    }

    private Map<String, Object> getOIDCClaimsFromUserAttributes(Map<ClaimMapping, String> map, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        String serviceProviderTenantDomain = getServiceProviderTenantDomain(oAuthTokenReqMessageContext);
        HashMap hashMap = new HashMap();
        if (MapUtils.isNotEmpty(map)) {
            for (Map.Entry<ClaimMapping, String> entry : map.entrySet()) {
                hashMap.put(entry.getKey().getRemoteClaim().getClaimUri(), entry.getValue().toString());
            }
        }
        return OIDCClaimUtil.getMergedUserClaimsInOIDCDialect(serviceProviderTenantDomain, hashMap);
    }

    private Map<String, Object> getOIDCClaimsFromFederatedUserAttributes(Map<ClaimMapping, String> map, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        String serviceProviderTenantDomain = getServiceProviderTenantDomain(oAuthTokenReqMessageContext);
        try {
            Map mappingsMapFromOtherDialectToCarbon = ClaimMetadataHandler.getInstance().getMappingsMapFromOtherDialectToCarbon(OIDC_DIALECT, (Set) null, serviceProviderTenantDomain, false);
            HashMap hashMap = new HashMap();
            if (MapUtils.isNotEmpty(map)) {
                for (Map.Entry<ClaimMapping, String> entry : map.entrySet()) {
                    ClaimMapping key = entry.getKey();
                    String str = entry.getValue().toString();
                    String claimUri = key.getLocalClaim().getClaimUri();
                    if (mappingsMapFromOtherDialectToCarbon.containsKey(claimUri) && StringUtils.isNotBlank(str)) {
                        hashMap.put(claimUri, str);
                        if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("UserClaims")) {
                            log.debug("Mapped claim: key - " + claimUri + " value - " + str);
                        }
                    }
                }
            }
            return OIDCClaimUtil.getMergedUserClaimsInOIDCDialect(serviceProviderTenantDomain, hashMap);
        } catch (ClaimMetadataException e) {
            throw new IdentityOAuth2Exception("Error while retrieving OIDC to Local claim mappings.", (Throwable) e);
        }
    }

    private Map<String, Object> getUserClaimsInOIDCDialect(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        Map<String, Object> oIDCClaimMapFromUserAttributes;
        Map<ClaimMapping, String> userAttributesCachedAgainstToken = getUserAttributesCachedAgainstToken(getAccessToken(oAuthAuthzReqMessageContext), false);
        if (!MapUtils.isEmpty(userAttributesCachedAgainstToken)) {
            oIDCClaimMapFromUserAttributes = getOIDCClaimMapFromUserAttributes(userAttributesCachedAgainstToken);
            oIDCClaimMapFromUserAttributes.putAll(getUserClaimsInOIDCDialectFromFederatedUserAttributes(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getTenantDomain(), getUserAttributesCachedAgainstToken(getAccessToken(oAuthAuthzReqMessageContext), true)));
        } else if (isLocalUser(oAuthAuthzReqMessageContext)) {
            if (log.isDebugEnabled()) {
                log.debug("User attributes not found in cache. Trying to retrieve attribute for local user: " + oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser());
            }
            oIDCClaimMapFromUserAttributes = retrieveClaimsForLocalUser(oAuthAuthzReqMessageContext);
        } else {
            if (log.isDebugEnabled()) {
                log.debug("User attributes not found in cache. Trying to retrieve attribute for federated user: " + oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser());
            }
            oIDCClaimMapFromUserAttributes = retrieveClaimsForFederatedUser(oAuthAuthzReqMessageContext);
        }
        return filterClaims(oIDCClaimMapFromUserAttributes, oAuthAuthzReqMessageContext);
    }

    private Map<ClaimMapping, String> getCachedUserAttributes(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, boolean z) throws IdentityOAuth2Exception {
        Map<ClaimMapping, String> userAttributesCachedAgainstAuthorizationCode = getUserAttributesCachedAgainstAuthorizationCode(getAuthorizationCode(oAuthTokenReqMessageContext), z);
        if (log.isDebugEnabled()) {
            log.debug("Retrieving claims cached against authorization_code for user: " + oAuthTokenReqMessageContext.getAuthorizedUser());
        }
        if (MapUtils.isEmpty(userAttributesCachedAgainstAuthorizationCode)) {
            if (log.isDebugEnabled()) {
                log.debug("No claims cached against the authorization_code for user: " + oAuthTokenReqMessageContext.getAuthorizedUser() + ". Retrieving claims cached against the access_token.");
            }
            userAttributesCachedAgainstAuthorizationCode = getUserAttributesCachedAgainstToken(getAccessToken(oAuthTokenReqMessageContext), z);
            if (log.isDebugEnabled()) {
                log.debug("Retrieving claims cached against access_token for user: " + oAuthTokenReqMessageContext.getAuthorizedUser());
            }
        }
        if (MapUtils.isEmpty(userAttributesCachedAgainstAuthorizationCode)) {
            if (log.isDebugEnabled()) {
                log.debug("No claims cached against the access_token for user: " + oAuthTokenReqMessageContext.getAuthorizedUser() + ". Retrieving claims cached against the device code.");
            }
            userAttributesCachedAgainstAuthorizationCode = getUserAttributesCachedAgainstDeviceCode(getDeviceCode(oAuthTokenReqMessageContext), z);
        }
        if (MapUtils.isEmpty(userAttributesCachedAgainstAuthorizationCode)) {
            if (log.isDebugEnabled()) {
                log.debug("No claims found in authorization cache. Retrieving claims from attributes of user : " + oAuthTokenReqMessageContext.getAuthorizedUser());
            }
            AuthenticatedUser authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
            userAttributesCachedAgainstAuthorizationCode = authorizedUser != null ? authorizedUser.getUserAttributes() : null;
        }
        if (MapUtils.isEmpty(userAttributesCachedAgainstAuthorizationCode)) {
            if (log.isDebugEnabled()) {
                log.debug("No claims found in user in user attributes for user : " + oAuthTokenReqMessageContext.getAuthorizedUser());
            }
            String latestAccessTokenHash = getLatestAccessTokenHash(oAuthTokenReqMessageContext);
            if (StringUtils.isNotBlank(latestAccessTokenHash)) {
                userAttributesCachedAgainstAuthorizationCode = getUserAttributesCachedAgainstToken(latestAccessTokenHash, z);
            }
            Object property = oAuthTokenReqMessageContext.getProperty("previousAccessToken");
            if (property != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Retrieving claims from previous access token of user : " + oAuthTokenReqMessageContext.getAuthorizedUser());
                }
                RefreshTokenValidationDataDO refreshTokenValidationDataDO = (RefreshTokenValidationDataDO) property;
                if (MapUtils.isEmpty(userAttributesCachedAgainstAuthorizationCode)) {
                    userAttributesCachedAgainstAuthorizationCode = getUserAttributesCachedAgainstToken(refreshTokenValidationDataDO.getAccessToken(), z);
                }
                oAuthTokenReqMessageContext.addProperty(OIDCConstants.HAS_NON_OIDC_CLAIMS, Boolean.valueOf(isTokenHasCustomUserClaims(refreshTokenValidationDataDO)));
            }
        }
        return userAttributesCachedAgainstAuthorizationCode;
    }

    private Map<ClaimMapping, String> getUserAttributesCachedAgainstAuthorizationCode(String str, boolean z) {
        Map<ClaimMapping, String> emptyMap = Collections.emptyMap();
        if (str != null) {
            emptyMap = getUserAttributesFromCacheUsingCode(str, z);
        }
        return emptyMap;
    }

    private Map<ClaimMapping, String> getUserAttributesCachedAgainstDeviceCode(String str, boolean z) {
        if (StringUtils.isEmpty(str)) {
            return Collections.emptyMap();
        }
        DeviceAuthorizationGrantCacheEntry valueFromCache = DeviceAuthorizationGrantCache.getInstance().getValueFromCache(new DeviceAuthorizationGrantCacheKey(str));
        return z ? valueFromCache == null ? Collections.emptyMap() : valueFromCache.getMappedRemoteClaims() : valueFromCache == null ? Collections.emptyMap() : valueFromCache.getUserAttributes();
    }

    private Map<ClaimMapping, String> getUserAttributesFromCacheUsingCode(String str, boolean z) {
        if (log.isDebugEnabled()) {
            if (IdentityUtil.isTokenLoggable("AuthorizationCode")) {
                log.debug("Retrieving user attributes cached against authorization code: " + str);
            } else {
                log.debug("Retrieving user attributes cached against authorization code.");
            }
        }
        AuthorizationGrantCacheEntry valueFromCacheByCode = AuthorizationGrantCache.getInstance().getValueFromCacheByCode(new AuthorizationGrantCacheKey(str));
        return z ? valueFromCacheByCode == null ? new HashMap() : valueFromCacheByCode.getMappedRemoteClaims() : valueFromCacheByCode == null ? new HashMap() : valueFromCacheByCode.getUserAttributes();
    }

    private Map<ClaimMapping, String> getUserAttributesCachedAgainstToken(String str, boolean z) {
        Map<ClaimMapping, String> emptyMap = Collections.emptyMap();
        if (str != null) {
            emptyMap = getUserAttributesFromCacheUsingToken(str, z);
        }
        return emptyMap;
    }

    private Map<String, Object> retrieveClaimsForLocalUser(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        try {
            return getLocalUserClaimsInOIDCDialect(getServiceProviderTenantDomain(oAuthAuthzReqMessageContext), oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey(), oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser());
        } catch (UserStoreException | IdentityApplicationManagementException | IdentityException | OrganizationManagementException e) {
            if (!FrameworkUtils.isContinueOnClaimHandlingErrorAllowed()) {
                throw new IdentityOAuth2Exception("Error occurred while getting claims for user " + oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser(), e);
            }
            log.error("Error occurred while getting claims for user " + oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser(), e);
            return new HashMap();
        }
    }

    private Map<String, Object> retrieveClaimsForFederatedUser(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        OAuth2AuthorizeReqDTO authorizationReqDTO = oAuthAuthzReqMessageContext.getAuthorizationReqDTO();
        HashMap hashMap = new HashMap();
        if (authorizationReqDTO == null) {
            if (log.isDebugEnabled()) {
                log.debug("OAuth2AuthorizeReqDTO is NULL for federated user: " + oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser());
            }
            return hashMap;
        }
        AuthenticatedUser user = authorizationReqDTO.getUser();
        if (user == null) {
            if (log.isDebugEnabled()) {
                log.debug("Authenticated User is not available in the request");
            }
            return hashMap;
        }
        Map<ClaimMapping, String> userAttributes = user.getUserAttributes();
        Map<ClaimMapping, String> mappedRemoteClaims = authorizationReqDTO.getMappedRemoteClaims();
        Map<String, Object> oIDCClaimMapFromUserAttributes = getOIDCClaimMapFromUserAttributes(userAttributes);
        oIDCClaimMapFromUserAttributes.putAll(getUserClaimsInOIDCDialectFromFederatedUserAttributes(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getTenantDomain(), mappedRemoteClaims));
        return oIDCClaimMapFromUserAttributes;
    }

    private Map<String, Object> getOIDCClaimMapFromUserAttributes(Map<ClaimMapping, String> map) {
        HashMap hashMap = new HashMap();
        if (MapUtils.isNotEmpty(map)) {
            for (Map.Entry<ClaimMapping, String> entry : map.entrySet()) {
                hashMap.put(entry.getKey().getRemoteClaim().getClaimUri(), entry.getValue());
            }
        }
        return hashMap;
    }

    private static Map<String, Object> getUserClaimsInOIDCDialectFromFederatedUserAttributes(String str, Map<ClaimMapping, String> map) throws IdentityOAuth2Exception {
        try {
            Map mappingsMapFromOtherDialectToCarbon = ClaimMetadataHandler.getInstance().getMappingsMapFromOtherDialectToCarbon(OIDC_DIALECT, (Set) null, str, false);
            HashMap hashMap = new HashMap();
            if (MapUtils.isNotEmpty(map)) {
                for (Map.Entry<ClaimMapping, String> entry : map.entrySet()) {
                    ClaimMapping key = entry.getKey();
                    String value = entry.getValue();
                    String claimUri = key.getLocalClaim().getClaimUri();
                    if (mappingsMapFromOtherDialectToCarbon.containsKey(claimUri) && StringUtils.isNotBlank(value)) {
                        hashMap.put(claimUri, value);
                        if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("UserClaims")) {
                            log.debug("Mapped claim: key - " + claimUri + " value - " + value);
                        }
                    }
                }
            }
            return hashMap;
        } catch (ClaimMetadataException e) {
            throw new IdentityOAuth2Exception("Error while retrieving OIDC to Local claim mappings.", (Throwable) e);
        }
    }

    private Map<String, Object> getLocalUserClaimsInOIDCDialect(String str, String str2, AuthenticatedUser authenticatedUser) throws IdentityApplicationManagementException, IdentityException, UserStoreException, OrganizationManagementException {
        HashMap hashMap = new HashMap();
        ServiceProvider serviceProvider = getServiceProvider(str, str2);
        if (serviceProvider == null) {
            log.warn("Unable to find a service provider associated with client_id: " + str2 + " in tenantDomain: " + str + ". Returning empty claim map for user.");
            return hashMap;
        }
        List<String> accessTokenClaims = getAccessTokenClaims(str2, str);
        if (accessTokenClaims.isEmpty()) {
            return new HashMap();
        }
        Map<String, String> oIDCToLocalClaimMappings = getOIDCToLocalClaimMappings(str);
        if (oIDCToLocalClaimMappings.isEmpty()) {
            return new HashMap();
        }
        Stream<String> stream = accessTokenClaims.stream();
        Objects.requireNonNull(oIDCToLocalClaimMappings);
        return OIDCClaimUtil.getUserClaimsInOIDCDialect(serviceProvider, authenticatedUser, (List) stream.map((v1) -> {
            return r1.get(v1);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toList()));
    }

    private Map<ClaimMapping, String> getUserAttributesFromCacheUsingToken(String str, boolean z) {
        if (log.isDebugEnabled()) {
            if (IdentityUtil.isTokenLoggable("AccessToken")) {
                log.debug("Retrieving user attributes cached against access token: " + str);
            } else {
                log.debug("Retrieving user attributes cached against access token.");
            }
        }
        AuthorizationGrantCacheEntry valueFromCacheByToken = AuthorizationGrantCache.getInstance().getValueFromCacheByToken(new AuthorizationGrantCacheKey(str));
        return z ? valueFromCacheByToken == null ? new HashMap() : valueFromCacheByToken.getMappedRemoteClaims() : valueFromCacheByToken == null ? new HashMap() : valueFromCacheByToken.getUserAttributes();
    }

    private String getAuthorizationCode(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        return (String) oAuthTokenReqMessageContext.getProperty("AuthorizationCode");
    }

    private String getAccessToken(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        return (String) oAuthAuthzReqMessageContext.getProperty("accessToken");
    }

    private String getAccessToken(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        return (String) oAuthTokenReqMessageContext.getProperty("accessToken");
    }

    private String getDeviceCode(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        return (String) oAuthTokenReqMessageContext.getProperty(Constants.DEVICE_CODE);
    }

    private boolean isLocalUser(AuthenticatedUser authenticatedUser) {
        return !authenticatedUser.isFederatedUser();
    }

    private boolean isLocalUser(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        return !oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser().isFederatedUser();
    }

    private String getLatestAccessTokenHash(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        Object property;
        String accessToken = getAccessToken(oAuthTokenReqMessageContext);
        if (accessToken == null || !StringUtils.isNotBlank(accessToken.toString()) || (property = oAuthTokenReqMessageContext.getProperty("OAuthAppDO")) == null) {
            return null;
        }
        try {
            OauthTokenIssuer oAuthTokenIssuerForOAuthApp = OAuth2Util.getOAuthTokenIssuerForOAuthApp((OAuthAppDO) property);
            if (oAuthTokenIssuerForOAuthApp == null) {
                return null;
            }
            try {
                return oAuthTokenIssuerForOAuthApp.getAccessTokenHash(accessToken.toString());
            } catch (OAuthSystemException e) {
                throw new IdentityOAuth2Exception("Error occurred while generating the access token hash at user attribute retrieval", (Throwable) e);
            }
        } catch (ClassCastException e2) {
            log.error("Error occurred while generating the access token hash at user attribute retrieval", e2);
            return null;
        }
    }

    private boolean isTokenHasCustomUserClaims(RefreshTokenValidationDataDO refreshTokenValidationDataDO) {
        if (refreshTokenValidationDataDO.getAccessToken() == null) {
            return false;
        }
        AuthorizationGrantCacheEntry valueFromCacheByToken = AuthorizationGrantCache.getInstance().getValueFromCacheByToken(new AuthorizationGrantCacheKey(refreshTokenValidationDataDO.getAccessToken()));
        boolean z = valueFromCacheByToken != null && valueFromCacheByToken.isHasNonOIDCClaims();
        if (log.isDebugEnabled()) {
            log.debug("hasNonOIDCClaims is set to " + z + " for the access token of the user : " + refreshTokenValidationDataDO.getAuthorizedUser());
        }
        return valueFromCacheByToken != null && valueFromCacheByToken.isHasNonOIDCClaims();
    }

    private Map<String, String> getOIDCToLocalClaimMappings(String str) throws IdentityOAuth2Exception {
        try {
            return ClaimMetadataHandler.getInstance().getMappingsMapFromOtherDialectToCarbon(OIDC_DIALECT, (Set) null, str, false);
        } catch (ClaimMetadataException e) {
            throw new IdentityOAuth2Exception("Error occurred while retrieving OIDC to Local claim mappings.", (Throwable) e);
        }
    }

    private JWTClaimsSet setClaimsToJwtClaimSet(JWTClaimsSet.Builder builder, Map<String, Object> map) {
        JWTClaimsSet build = builder.build();
        String multiAttributeSeparator = FrameworkUtils.getMultiAttributeSeparator();
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            String obj = entry.getValue().toString();
            String key = entry.getKey();
            if (isMultiValuedAttribute(key, obj, multiAttributeSeparator)) {
                JSONArray jSONArray = new JSONArray();
                for (String str : obj.split(Pattern.quote(multiAttributeSeparator))) {
                    if (StringUtils.isNotBlank(str)) {
                        jSONArray.add(str);
                    }
                }
                if (build.getClaim(key) == null) {
                    builder.claim(entry.getKey(), jSONArray);
                }
            } else if (build.getClaim(key) == null) {
                builder.claim(entry.getKey(), entry.getValue());
            }
        }
        return builder.build();
    }

    private boolean isMultiValuedAttribute(String str, String str2, String str3) {
        if (str.equals("address")) {
            return false;
        }
        if (str.equals("groups")) {
            return true;
        }
        return StringUtils.contains(str2, str3);
    }

    private List<String> getAccessTokenClaims(String str, String str2) throws IdentityOAuth2Exception {
        try {
            String[] accessTokenClaims = OAuth2Util.getAppInformationByClientId(str, str2).getAccessTokenClaims();
            return accessTokenClaims == null ? new ArrayList() : new ArrayList(Arrays.asList(accessTokenClaims));
        } catch (InvalidOAuthClientException e) {
            throw new IdentityOAuth2Exception("Error occurred while getting app information for client_id: " + str, (Throwable) e);
        }
    }

    private Map<String, Object> handleClaimsFormat(Map<String, Object> map, String str, String str2) throws IdentityOAuth2Exception {
        return OpenIDConnectServiceComponentHolder.getInstance().getHighestPriorityOpenIDConnectClaimFilter().getClaimsFilteredByOIDCScopes(map, (String[]) OAuthTokenPersistenceFactory.getInstance().getScopeClaimMappingDAO().getScopeNames(IdentityTenantUtil.getTenantId(str2)).toArray(new String[0]), str, str2);
    }

    private ServiceProvider getServiceProvider(String str, String str2) throws IdentityApplicationManagementException {
        ApplicationManagementService applicationMgtService = OAuth2ServiceComponentHolder.getApplicationMgtService();
        String serviceProviderNameByClientId = applicationMgtService.getServiceProviderNameByClientId(str2, "oauth2", str);
        if (log.isDebugEnabled()) {
            log.debug("Retrieving service provider for clientId: " + str2 + " in tenantDomain: " + str);
        }
        return applicationMgtService.getApplicationExcludingFileBasedSPs(serviceProviderNameByClientId, str);
    }

    private String getServiceProviderTenantDomain(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        String str = (String) oAuthTokenReqMessageContext.getProperty("tenantDomain");
        if (str == null) {
            str = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
        }
        return str;
    }

    private String getServiceProviderTenantDomain(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        String str = (String) oAuthAuthzReqMessageContext.getProperty("tenantDomain");
        if (str == null) {
            str = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getTenantDomain();
        }
        return str;
    }

    private boolean isOrganizationSsoUserSwitchingOrganization(AuthenticatedUser authenticatedUser) {
        String accessingOrganization = authenticatedUser.getAccessingOrganization();
        String userResidentOrganization = authenticatedUser.getUserResidentOrganization();
        return (!authenticatedUser.isFederatedUser() || userResidentOrganization == null || userResidentOrganization.equals(accessingOrganization)) ? false : true;
    }

    private boolean isOrganizationSwitchGrantType(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        return StringUtils.equals(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType(), "organization_switch");
    }

    private boolean isPreserverClaimUrisInAssertion(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        return !OAuthServerConfiguration.getInstance().isConvertOriginalClaimsFromAssertionsToOIDCDialect() && oAuthTokenReqMessageContext.getAuthorizedUser().isFederatedUser();
    }
}
