package org.wso2.carbon.identity.application.authenticator.oidc;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.util.JSONObjectUtils;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.minidev.json.JSONArray;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.client.OAuthClient;
import org.apache.oltu.oauth2.client.URLConnectionClient;
import org.apache.oltu.oauth2.client.request.OAuthClientRequest;
import org.apache.oltu.oauth2.client.response.OAuthAuthzResponse;
import org.apache.oltu.oauth2.client.response.OAuthClientResponse;
import org.apache.oltu.oauth2.common.exception.OAuthProblemException;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.apache.oltu.oauth2.common.message.types.GrantType;
import org.apache.oltu.oauth2.common.utils.JSONUtils;
import org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.AuthenticatorFlowStatus;
import org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
import org.wso2.carbon.identity.application.authentication.framework.exception.LogoutFailedException;
import org.wso2.carbon.identity.application.authentication.framework.model.AdditionalData;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationRequest;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatorData;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatorMessage;
import org.wso2.carbon.identity.application.authentication.framework.model.FederatedToken;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.authenticator.oidc.OIDCAuthenticatorConstants;
import org.wso2.carbon.identity.application.authenticator.oidc.internal.OpenIDConnectAuthenticatorDataHolder;
import org.wso2.carbon.identity.application.authenticator.oidc.model.OIDCStateInfo;
import org.wso2.carbon.identity.application.authenticator.oidc.util.OIDCErrorConstants;
import org.wso2.carbon.identity.application.authenticator.oidc.util.OIDCTokenValidationUtil;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.IdentityProviderProperty;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException;
import org.wso2.carbon.identity.claim.metadata.mgt.model.ExternalClaim;
import org.wso2.carbon.identity.core.ServiceURLBuilder;
import org.wso2.carbon.identity.core.URLBuilderException;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2ClientException;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.utils.DiagnosticLog;

/* loaded from: input_file:org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.class */
public class OpenIDConnectAuthenticator extends AbstractApplicationAuthenticator implements FederatedApplicationAuthenticator {
    private static final long serialVersionUID = -4154255583070524018L;
    private static final String OIDC_DIALECT = "http://wso2.org/oidc/claim";
    private static final String PKCE_CODE_CHALLENGE_METHOD = "S256";
    private static final String IS_API_BASED = "IS_API_BASED";
    private static final String REDIRECT_URL = "REDIRECT_URL";
    private static final String SPACE_REGEX = "\\s+";
    private static final String SPACE = " ";
    private static final String SEMI_COLON_DELIMITER = ";";
    private static final String COMMA_DELIMITER = ",";
    private static final String AUTHENTICATOR_MESSAGE = "authenticatorMessage";
    private static final String IS_PKCE_ENABLED_NAME = "isPKCEEnabled";
    private static final String IS_PKCE_ENABLED_DISPLAY_NAME = "Enable PKCE";
    private static final String IS_PKCE_ENABLED_DESCRIPTION = "Specifies that PKCE should be used for client authentication";
    private static final String TYPE_BOOLEAN = "boolean";
    private static final Log LOG = LogFactory.getLog(OpenIDConnectAuthenticator.class);
    private static final String DYNAMIC_PARAMETER_LOOKUP_REGEX = "\\$\\{(\\w+)\\}";
    private static Pattern pattern = Pattern.compile(DYNAMIC_PARAMETER_LOOKUP_REGEX);
    private static final String[] NON_USER_ATTRIBUTES = {"at_hash", "iss", "iat", "exp", "aud", "azp"};

    public AuthenticatorFlowStatus process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException, LogoutFailedException {
        if (!isInitialRequest(authenticationContext, httpServletRequest) || (!canHandle(httpServletRequest) && !Boolean.TRUE.equals(httpServletRequest.getAttribute("commonAuthHandled")))) {
            return authenticationContext.isLogoutRequest() ? processLogout(httpServletRequest, httpServletResponse, authenticationContext) : super.process(httpServletRequest, httpServletResponse, authenticationContext);
        }
        if (getName().equals(authenticationContext.getProperty("LastFailedAuthenticator"))) {
            authenticationContext.setRetrying(true);
        }
        initiateAuthenticationRequest(httpServletRequest, httpServletResponse, authenticationContext);
        authenticationContext.setCurrentAuthenticator(getName());
        authenticationContext.setRetrying(false);
        return AuthenticatorFlowStatus.INCOMPLETE;
    }

    protected void processLogoutResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) {
        if (LOG.isDebugEnabled()) {
            if (IdentityTenantUtil.isTenantQualifiedUrlsEnabled()) {
                LOG.debug("Handled logout response from service provider " + httpServletRequest.getParameter("sp") + " in tenant domain " + IdentityTenantUtil.getTenantDomainFromContext());
            } else {
                LOG.debug("Handled logout response from service provider " + httpServletRequest.getParameter("sp") + " in tenant domain " + httpServletRequest.getParameter("tenantDomain"));
            }
        }
    }

    public boolean canHandle(HttpServletRequest httpServletRequest) {
        if (LOG.isTraceEnabled()) {
            LOG.trace("Inside OpenIDConnectAuthenticator.canHandle()");
        }
        boolean equals = isNativeSDKBasedFederationCall(httpServletRequest) ? true : OIDCAuthenticatorConstants.LOGIN_TYPE.equals(getLoginType(httpServletRequest));
        if (equals && LoggerUtils.isDiagnosticLogsEnabled()) {
            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(getComponentId(), "handle-authentication-step");
            diagnosticLogBuilder.resultStatus(DiagnosticLog.ResultStatus.SUCCESS).logDetailLevel(DiagnosticLog.LogDetailLevel.INTERNAL_SYSTEM).resultMessage("Outbound OIDC authenticator handling the authentication.");
            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
        }
        return equals;
    }

    protected boolean isInitialRequest(AuthenticationContext authenticationContext, HttpServletRequest httpServletRequest) {
        return (authenticationContext.isLogoutRequest() || hasCodeParamInRequest(httpServletRequest) || hasErrorParamInRequest(httpServletRequest) || isNativeSDKBasedFederationCall(httpServletRequest)) ? false : true;
    }

    private boolean hasErrorParamInRequest(HttpServletRequest httpServletRequest) {
        return StringUtils.isNotBlank(httpServletRequest.getParameter(OIDCAuthenticatorConstants.OAUTH2_ERROR));
    }

    private boolean hasCodeParamInRequest(HttpServletRequest httpServletRequest) {
        return StringUtils.isNotBlank(httpServletRequest.getParameter(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE));
    }

    protected String getAuthorizationServerEndpoint(Map<String, String> map) {
        return null;
    }

    @Deprecated
    protected String getCallbackUrl(Map<String, String> map) {
        String str = map.get("callbackUrl");
        if (StringUtils.isBlank(str)) {
            try {
                str = ServiceURLBuilder.create().addPath(new String[]{"commonauth"}).build().getAbsolutePublicURL();
            } catch (URLBuilderException e) {
                throw new RuntimeException("Error occurred while building URL in tenant qualified mode.", e);
            }
        }
        return str;
    }

    protected String getCallbackUrl(Map<String, String> map, AuthenticationContext authenticationContext) {
        if (Boolean.parseBoolean((String) authenticationContext.getProperty(IS_API_BASED))) {
            return resolveCallBackURLForAPIBasedAuthFlow(authenticationContext);
        }
        String str = map.get("callbackUrl");
        if (StringUtils.isBlank(str)) {
            try {
                str = ServiceURLBuilder.create().addPath(new String[]{"commonauth"}).build().getAbsolutePublicURL();
            } catch (URLBuilderException e) {
                throw new RuntimeException("Error occurred while building URL in tenant qualified mode.", e);
            }
        }
        return str;
    }

    protected String resolveCallBackURLForAPIBasedAuthFlow(AuthenticationContext authenticationContext) {
        return (String) authenticationContext.getProperty(REDIRECT_URL);
    }

    protected String getLogoutUrl(Map<String, String> map) {
        return map.get(OIDCAuthenticatorConstants.IdPConfParams.OIDC_LOGOUT_URL);
    }

    protected String getTokenEndpoint(Map<String, String> map) {
        return map.get(OIDCAuthenticatorConstants.OAUTH2_TOKEN_URL);
    }

    protected String getState(String str, Map<String, String> map) {
        return str;
    }

    protected String getScope(String str, Map<String, String> map) {
        if (StringUtils.isBlank(str)) {
            str = OIDCAuthenticatorConstants.OAUTH_OIDC_SCOPE;
        }
        return str;
    }

    protected String getScope(Map<String, String> map) {
        return map.get("Scopes");
    }

    protected boolean requiredIDToken(Map<String, String> map) {
        return true;
    }

    protected String getAuthenticateUser(AuthenticationContext authenticationContext, Map<String, Object> map, OAuthClientResponse oAuthClientResponse) {
        return (String) map.get(OIDCAuthenticatorConstants.Claim.SUB);
    }

    @Deprecated
    protected String getCallBackURL(Map<String, String> map) {
        return getCallbackUrl(map);
    }

    protected String getQueryString(Map<String, String> map) {
        return map.get("commonAuthQueryParams");
    }

    protected String getUserInfoEndpoint(OAuthClientResponse oAuthClientResponse, Map<String, String> map) {
        return map.get("UserInfoUrl");
    }

    protected Map<ClaimMapping, String> getSubjectAttributes(OAuthClientResponse oAuthClientResponse, Map<String, String> map) {
        String sendRequest;
        HashMap hashMap = new HashMap();
        try {
            sendRequest = sendRequest(getUserInfoEndpoint(oAuthClientResponse, map), oAuthClientResponse.getParam(OIDCAuthenticatorConstants.ACCESS_TOKEN));
        } catch (IOException e) {
            LOG.error("Communication error occurred while accessing user info endpoint", e);
        }
        if (StringUtils.isBlank(sendRequest)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Empty JSON response from user info endpoint. Unable to fetch user claims. Proceeding without user claims");
            }
            return hashMap;
        }
        Map parseJSON = JSONUtils.parseJSON(sendRequest);
        for (Map.Entry entry : parseJSON.entrySet()) {
            String str = (String) entry.getKey();
            Object value = entry.getValue();
            if (value != null) {
                hashMap.put(ClaimMapping.build(str, str, (String) null, false), value instanceof Object[] ? StringUtils.join((Object[]) value, FrameworkUtils.getMultiAttributeSeparator()) : value.toString());
            }
            if (LOG.isDebugEnabled() && IdentityUtil.isTokenLoggable("UserClaims") && parseJSON.get(str) != null) {
                LOG.debug("Adding claims from end-point data mapping : " + str + " - " + parseJSON.get(str).toString());
            }
        }
        return hashMap;
    }

    protected void initiateAuthenticationRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        try {
            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = null;
            if (LoggerUtils.isDiagnosticLogsEnabled() && authenticationContext.getAuthenticatorProperties() != null) {
                diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(getComponentId(), OIDCAuthenticatorConstants.LogConstants.ActionIDs.INITIATE_OUTBOUND_AUTH_REQUEST);
                diagnosticLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.SUCCESS).inputParam("step", Integer.valueOf(authenticationContext.getCurrentStep())).inputParam("authenticator properties", authenticationContext.getAuthenticatorProperties().keySet()).inputParam("idp", authenticationContext.getExternalIdP().getIdPName()).inputParams(getApplicationDetails(authenticationContext));
            }
            String prepareLoginPage = prepareLoginPage(httpServletRequest, authenticationContext);
            httpServletResponse.sendRedirect(prepareLoginPage);
            if (LoggerUtils.isDiagnosticLogsEnabled() && diagnosticLogBuilder != null) {
                String extractScopesFromURL = extractScopesFromURL(prepareLoginPage);
                if (StringUtils.isNotEmpty(extractScopesFromURL)) {
                    diagnosticLogBuilder.inputParam("scopes", extractScopesFromURL);
                }
                diagnosticLogBuilder.resultMessage("Redirecting to the federated IDP login page.");
                LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
            }
        } catch (IOException e) {
            throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.IO_ERROR.getCode(), e.getMessage(), e);
        }
    }

    protected String prepareLoginPage(HttpServletRequest httpServletRequest, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        try {
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(getComponentId(), OIDCAuthenticatorConstants.LogConstants.ActionIDs.INITIATE_OUTBOUND_AUTH_REQUEST);
                diagnosticLogBuilder.resultMessage("Initiate outbound OIDC authentication request.").logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.SUCCESS).inputParam("step", Integer.valueOf(authenticationContext.getCurrentStep())).inputParam("idp", authenticationContext.getExternalIdP().getIdPName()).inputParams(getApplicationDetails(authenticationContext));
                LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
            }
            Map<String, String> authenticatorProperties = authenticationContext.getAuthenticatorProperties();
            if (authenticatorProperties == null) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug(OIDCErrorConstants.ErrorMessages.RETRIEVING_AUTHENTICATOR_PROPERTIES_FAILED.getMessage());
                }
                setAuthenticatorMessageToContext(OIDCErrorConstants.ErrorMessages.RETRIEVING_AUTHENTICATOR_PROPERTIES_FAILED, authenticationContext);
                throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.RETRIEVING_AUTHENTICATOR_PROPERTIES_FAILED.getCode(), OIDCErrorConstants.ErrorMessages.RETRIEVING_AUTHENTICATOR_PROPERTIES_FAILED.getMessage());
            }
            String str = authenticatorProperties.get("ClientId");
            String oIDCAuthzEndpoint = getOIDCAuthzEndpoint(authenticatorProperties);
            String callbackUrl = getCallbackUrl(authenticatorProperties, authenticationContext);
            String stateParameter = getStateParameter(httpServletRequest, authenticationContext, authenticatorProperties);
            authenticationContext.setProperty("OpenIDConnectAuthenticator_state_param", stateParameter);
            String uuid = UUID.randomUUID().toString();
            authenticationContext.setProperty(OIDCAuthenticatorConstants.OIDC_FEDERATION_NONCE, uuid);
            boolean parseBoolean = Boolean.parseBoolean(authenticatorProperties.get(OIDCAuthenticatorConstants.IS_PKCE_ENABLED));
            String scope = getScope(authenticatorProperties);
            if (Boolean.parseBoolean(authenticatorProperties.get(OIDCAuthenticatorConstants.SHARE_FEDERATED_TOKEN_CONFIG)) && requestedToShareFederatedToken(authenticationContext)) {
                scope = addValidScopesForFederatedTokenSharing(authenticationContext, authenticatorProperties, scope);
            }
            String queryString = getQueryString(authenticatorProperties);
            if (StringUtils.isNotBlank(scope)) {
                queryString = queryString + "&scope=" + scope;
            }
            String interpretQueryString = interpretQueryString(authenticationContext, queryString, httpServletRequest.getParameterMap());
            HashMap hashMap = new HashMap();
            if (StringUtils.isNotBlank(interpretQueryString)) {
                for (String str2 : interpretQueryString.split(OIDCAuthenticatorConstants.AMPERSAND_SIGN)) {
                    String[] split = str2.split(OIDCAuthenticatorConstants.EQUAL_SIGN);
                    if (split.length >= 2) {
                        hashMap.put(split[0], split[1]);
                    }
                }
                authenticationContext.setProperty(OIDCAuthenticatorConstants.OIDC_QUERY_PARAM_MAP_PROPERTY_KEY, hashMap);
            }
            String evaluatedQueryString = getEvaluatedQueryString(hashMap);
            String scope2 = getScope(hashMap.get(OIDCAuthenticatorConstants.SCOPE), authenticatorProperties);
            authenticationContext.setProperty("OpenIDConnectAuthenticator_scope_param", scope2);
            String locationUri = ((StringUtils.isNotBlank(evaluatedQueryString) && evaluatedQueryString.toLowerCase().contains("scope=") && evaluatedQueryString.toLowerCase().contains("redirect_uri=")) ? OAuthClientRequest.authorizationLocation(oIDCAuthzEndpoint).setClientId(str).setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE).setState(stateParameter).setParameter(OIDCAuthenticatorConstants.Claim.NONCE, uuid).buildQueryMessage() : (StringUtils.isNotBlank(evaluatedQueryString) && evaluatedQueryString.toLowerCase().contains("scope=")) ? OAuthClientRequest.authorizationLocation(oIDCAuthzEndpoint).setClientId(str).setRedirectURI(callbackUrl).setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE).setState(stateParameter).setParameter(OIDCAuthenticatorConstants.Claim.NONCE, uuid).buildQueryMessage() : (StringUtils.isNotBlank(evaluatedQueryString) && evaluatedQueryString.toLowerCase().contains("redirect_uri=")) ? OAuthClientRequest.authorizationLocation(oIDCAuthzEndpoint).setClientId(str).setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE).setScope(OIDCAuthenticatorConstants.OAUTH_OIDC_SCOPE).setState(stateParameter).setParameter(OIDCAuthenticatorConstants.Claim.NONCE, uuid).buildQueryMessage() : OAuthClientRequest.authorizationLocation(oIDCAuthzEndpoint).setClientId(str).setRedirectURI(callbackUrl).setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE).setScope(scope2).setState(stateParameter).setParameter(OIDCAuthenticatorConstants.Claim.NONCE, uuid).buildQueryMessage()).getLocationUri();
            String parameter = httpServletRequest.getParameter("domain");
            if (StringUtils.isNotBlank(parameter)) {
                locationUri = locationUri + "&fidp=" + parameter;
            }
            if (parseBoolean) {
                String generateCodeVerifier = generateCodeVerifier();
                authenticationContext.setProperty(OIDCAuthenticatorConstants.PKCE_CODE_VERIFIER, generateCodeVerifier);
                locationUri = locationUri + "&code_challenge=" + generateCodeChallenge(generateCodeVerifier) + "&code_challenge_method=" + PKCE_CODE_CHALLENGE_METHOD;
            }
            if (StringUtils.isNotBlank(evaluatedQueryString)) {
                locationUri = !evaluatedQueryString.startsWith(OIDCAuthenticatorConstants.AMPERSAND_SIGN) ? locationUri + OIDCAuthenticatorConstants.AMPERSAND_SIGN + evaluatedQueryString : locationUri + evaluatedQueryString;
            }
            authenticationContext.setProperty("OpenIDConnectAuthenticator_redirect_url", locationUri);
            return locationUri;
        } catch (OAuthSystemException e) {
            throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.BUILDING_AUTHORIZATION_CODE_REQUEST_FAILED.getCode(), e.getMessage(), e);
        } catch (UnsupportedEncodingException e2) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Error while encoding the additional query parameters", e2);
            }
            setAuthenticatorMessageToContext(OIDCErrorConstants.ErrorMessages.BUILDING_AUTHORIZATION_CODE_REQUEST_FAILED, authenticationContext);
            throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.BUILDING_AUTHORIZATION_CODE_REQUEST_FAILED.getCode(), e2.getMessage(), e2);
        }
    }

    private String addValidScopesForFederatedTokenSharing(AuthenticationContext authenticationContext, Map<String, String> map, String str) {
        Set<String> validateScopeForTokenSharing = validateScopeForTokenSharing(map.get(OIDCAuthenticatorConstants.FEDERATED_TOKEN_ALLOWED_SCOPE), getRequestedScopesForTokenSharing(authenticationContext));
        if (CollectionUtils.isEmpty(validateScopeForTokenSharing)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("No matching scopes found for federated token sharing.");
            }
            return str;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Valid scopes found for the IDP" + getFederatedAuthenticatorName(authenticationContext) + " in federated token sharing: " + validateScopeForTokenSharing);
        }
        String removeDuplicateScopes = removeDuplicateScopes(str, validateScopeForTokenSharing);
        if (LOG.isDebugEnabled()) {
            LOG.debug("The scopes for the IDP: " + getFederatedAuthenticatorName(authenticationContext) + " : " + removeDuplicateScopes + " after considering federated token sharing.");
        }
        return removeDuplicateScopes;
    }

    private String removeDuplicateScopes(String str, Set<String> set) {
        if (StringUtils.isBlank(str)) {
            str = StringUtils.join(set, SPACE);
        }
        HashSet hashSet = new HashSet(Arrays.asList(str.split(SPACE_REGEX)));
        hashSet.addAll(set);
        return StringUtils.join(hashSet, SPACE);
    }

    private String getRequestedScopesForTokenSharing(AuthenticationContext authenticationContext) {
        String adaptiveScriptValues = getAdaptiveScriptValues(authenticationContext, OIDCAuthenticatorConstants.FEDERATED_TOKEN_SCOPE);
        if (StringUtils.isNotBlank(adaptiveScriptValues)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Adaptive script parameter found for federated_token_scope in federated token sharing, IDP: " + getFederatedAuthenticatorName(authenticationContext));
            }
            return adaptiveScriptValues;
        }
        String requestedScopesViaQueryParams = getRequestedScopesViaQueryParams(authenticationContext);
        if (LOG.isDebugEnabled() && StringUtils.isNotBlank(requestedScopesViaQueryParams)) {
            LOG.debug("No adaptive script parameter: federated_token_scope found. Query parameter: federated_token_scope value: " + requestedScopesViaQueryParams + " found for federated token sharing, IDP: " + getFederatedAuthenticatorName(authenticationContext));
        }
        return requestedScopesViaQueryParams;
    }

    private String getAdaptiveScriptValues(AuthenticationContext authenticationContext, String str) {
        Map runtimeParams = getRuntimeParams(authenticationContext);
        return runtimeParams != null ? (String) runtimeParams.get(str) : "";
    }

    private String getRequestedScopesViaQueryParams(AuthenticationContext authenticationContext) {
        String federatedAuthenticatorName = getFederatedAuthenticatorName(authenticationContext);
        if (StringUtils.isBlank(federatedAuthenticatorName)) {
            if (!LOG.isDebugEnabled()) {
                return null;
            }
            LOG.debug("No external IDP name found in the authentication context for federated token sharing. Cannot retrieve the query parameters.");
            return null;
        }
        String queryParameter = getQueryParameter(authenticationContext, OIDCAuthenticatorConstants.FEDERATED_TOKEN_SCOPE);
        if (StringUtils.isBlank(queryParameter)) {
            if (!LOG.isDebugEnabled()) {
                return null;
            }
            LOG.debug("No query parameter federated_token_scope found in federated token sharing, IDP: " + federatedAuthenticatorName);
            return null;
        }
        if (!queryParameter.contains(SEMI_COLON_DELIMITER)) {
            if (!LOG.isDebugEnabled()) {
                return null;
            }
            LOG.debug("Query parameter name: federated_token_scope value: " + queryParameter + " is missing " + SEMI_COLON_DELIMITER + " delimiter in federated token sharing, IDP: " + federatedAuthenticatorName);
            return null;
        }
        String[] split = StringUtils.split(queryParameter, COMMA_DELIMITER);
        StringBuilder sb = new StringBuilder();
        for (String str : split) {
            String[] split2 = StringUtils.split(str, SEMI_COLON_DELIMITER);
            if (ArrayUtils.getLength(split2) == 2 && StringUtils.equals(federatedAuthenticatorName, StringUtils.trim(split2[0]))) {
                sb.append(StringUtils.trim(split2[1])).append(SPACE);
            }
        }
        String sb2 = sb.toString();
        if (LOG.isDebugEnabled() && StringUtils.isBlank(sb2)) {
            LOG.debug("No valid values found for the IDP: " + federatedAuthenticatorName + " in the query parameter " + OIDCAuthenticatorConstants.FEDERATED_TOKEN_SCOPE + " for federated token sharing");
        }
        return sb2;
    }

    private boolean requestedToShareFederatedToken(AuthenticationContext authenticationContext) {
        String adaptiveScriptValues = getAdaptiveScriptValues(authenticationContext, OIDCAuthenticatorConstants.SHARE_FEDERATED_TOKEN_PARAM);
        if (LOG.isDebugEnabled() && StringUtils.isNotBlank(adaptiveScriptValues)) {
            LOG.debug("Adaptive script parameter share_federated_token found for federated token sharing, IDP: " + getFederatedAuthenticatorName(authenticationContext));
        }
        if (StringUtils.isBlank(adaptiveScriptValues)) {
            adaptiveScriptValues = getQueryParameter(authenticationContext, OIDCAuthenticatorConstants.SHARE_FEDERATED_TOKEN_PARAM);
            if (LOG.isDebugEnabled()) {
                LOG.debug("No adaptive script parameter: share_federated_token found. Query parameter: share_federated_token value: " + adaptiveScriptValues + " found for federated token sharing, IDP: " + getFederatedAuthenticatorName(authenticationContext));
            }
        }
        return Boolean.parseBoolean(adaptiveScriptValues);
    }

    private String getQueryParameter(AuthenticationContext authenticationContext, String str) {
        AuthenticationRequest authenticationRequest = authenticationContext.getAuthenticationRequest();
        if (authenticationRequest == null || StringUtils.isBlank(str)) {
            if (!LOG.isDebugEnabled()) {
                return null;
            }
            LOG.debug("Invalid authentication request or invalid query parameter name : " + str + " for federated token sharing, IDP: " + getFederatedAuthenticatorName(authenticationContext));
            return null;
        }
        String[] requestQueryParam = authenticationRequest.getRequestQueryParam(str);
        if (ArrayUtils.isNotEmpty(requestQueryParam)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Query parameter found for, " + str + " in federated token sharing, IDP: " + getFederatedAuthenticatorName(authenticationContext));
            }
            return requestQueryParam[0];
        }
        if (!LOG.isDebugEnabled()) {
            return null;
        }
        LOG.debug("No value found for the query parameter : " + str + " in federated token sharing, IDP: " + getFederatedAuthenticatorName(authenticationContext));
        return null;
    }

    private static void setAuthenticatorMessageToContext(OIDCErrorConstants.ErrorMessages errorMessages, AuthenticationContext authenticationContext) {
        authenticationContext.setProperty(AUTHENTICATOR_MESSAGE, new AuthenticatorMessage(FrameworkConstants.AuthenticatorMessageType.ERROR, errorMessages.getCode(), errorMessages.getMessage(), (Map) null));
    }

    private String getStateParameter(HttpServletRequest httpServletRequest, AuthenticationContext authenticationContext, Map<String, String> map) {
        return getState(FrameworkUtils.isAPIBasedAuthenticationFlow(httpServletRequest) ? UUID.randomUUID() + COMMA_DELIMITER + OIDCAuthenticatorConstants.LOGIN_TYPE : authenticationContext.getContextIdentifier() + COMMA_DELIMITER + OIDCAuthenticatorConstants.LOGIN_TYPE, map);
    }

    private String getOIDCAuthzEndpoint(Map<String, String> map) {
        String authorizationServerEndpoint = getAuthorizationServerEndpoint(map);
        if (StringUtils.isBlank(authorizationServerEndpoint)) {
            authorizationServerEndpoint = map.get(OIDCAuthenticatorConstants.OAUTH2_AUTHZ_URL);
        }
        return authorizationServerEndpoint;
    }

    protected void processAuthenticationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        AuthenticatedUser createFederateAuthenticatedUserFromSubjectIdentifier;
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(getComponentId(), OIDCAuthenticatorConstants.LogConstants.ActionIDs.PROCESS_AUTHENTICATION_RESPONSE);
            diagnosticLogBuilder.resultMessage("Processing outbound OIDC authentication response.").logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.SUCCESS).inputParam("step", Integer.valueOf(authenticationContext.getCurrentStep())).inputParam("idp", authenticationContext.getExternalIdP().getIdPName()).inputParams(getApplicationDetails(authenticationContext));
            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
        }
        OAuthClientResponse requestAccessToken = requestAccessToken(httpServletRequest, authenticationContext);
        mapAccessToken(httpServletRequest, authenticationContext, requestAccessToken);
        if (authenticationContext.getAuthenticatorProperties() != null && Boolean.parseBoolean((String) authenticationContext.getAuthenticatorProperties().get(OIDCAuthenticatorConstants.SHARE_FEDERATED_TOKEN_CONFIG)) && requestedToShareFederatedToken(authenticationContext)) {
            addFederatedTokensToContext(authenticationContext, requestAccessToken);
        }
        String mapIdToken = mapIdToken(authenticationContext, httpServletRequest, requestAccessToken);
        Map<String, String> authenticatorProperties = authenticationContext.getAuthenticatorProperties();
        if (requiredIDToken(authenticatorProperties) && StringUtils.isBlank(mapIdToken)) {
            setAuthenticatorMessageToContext(OIDCErrorConstants.ErrorMessages.ID_TOKEN_MISSED_IN_OIDC_RESPONSE, authenticationContext);
            throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.ID_TOKEN_MISSED_IN_OIDC_RESPONSE.getCode(), String.format(OIDCErrorConstants.ErrorMessages.ID_TOKEN_MISSED_IN_OIDC_RESPONSE.getMessage(), getTokenEndpoint(authenticatorProperties), authenticatorProperties.get("ClientId")));
        }
        OIDCStateInfo oIDCStateInfo = new OIDCStateInfo();
        oIDCStateInfo.setIdTokenHint(mapIdToken);
        authenticationContext.setStateInfo(oIDCStateInfo);
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder2 = null;
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            diagnosticLogBuilder2 = new DiagnosticLog.DiagnosticLogBuilder(getComponentId(), OIDCAuthenticatorConstants.LogConstants.ActionIDs.PROCESS_AUTHENTICATION_RESPONSE);
            diagnosticLogBuilder2.inputParam("step", Integer.valueOf(authenticationContext.getCurrentStep())).inputParams(getApplicationDetails(authenticationContext)).inputParam("idp", authenticationContext.getExternalIdP().getIdPName()).logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
        }
        if (StringUtils.isNotBlank(mapIdToken)) {
            Map<String, Object> idTokenClaims = getIdTokenClaims(authenticationContext, mapIdToken);
            if (idTokenClaims.isEmpty()) {
                String message = OIDCErrorConstants.ErrorMessages.DECODED_JSON_OBJECT_IS_NULL.getMessage();
                if (LOG.isDebugEnabled()) {
                    LOG.debug(message);
                }
                setAuthenticatorMessageToContext(OIDCErrorConstants.ErrorMessages.DECODED_JSON_OBJECT_IS_NULL, authenticationContext);
                throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.DECODED_JSON_OBJECT_IS_NULL.getCode(), message);
            }
            if (LoggerUtils.isDiagnosticLogsEnabled() && diagnosticLogBuilder2 != null) {
                diagnosticLogBuilder2.inputParam("id token claims", idTokenClaims.keySet());
            }
            String idPName = authenticationContext.getExternalIdP().getIdPName();
            String str = (String) idTokenClaims.get(OIDCAuthenticatorConstants.Claim.SID);
            if (StringUtils.isNotBlank(str) && StringUtils.isNotBlank(idPName)) {
                if (LoggerUtils.isDiagnosticLogsEnabled() && diagnosticLogBuilder2 != null) {
                    diagnosticLogBuilder2.inputParam("federated idp name", idPName);
                }
                authenticationContext.setProperty("FederatedIdPSessionIndex_" + idPName, str);
            }
            if (LOG.isDebugEnabled() && IdentityUtil.isTokenLoggable("UserIdToken")) {
                LOG.debug("Retrieved the User Information:" + idTokenClaims);
            }
            if (StringUtils.isNotBlank((String) authenticationContext.getProperty(OIDCAuthenticatorConstants.OIDC_FEDERATION_NONCE))) {
                String str2 = (String) idTokenClaims.get(OIDCAuthenticatorConstants.Claim.NONCE);
                if (str2 == null) {
                    LOG.debug("OIDC provider does not support nonce claim in id_token.");
                }
                if (str2 != null && !str2.equals(authenticationContext.getProperty(OIDCAuthenticatorConstants.OIDC_FEDERATION_NONCE))) {
                    setAuthenticatorMessageToContext(OIDCErrorConstants.ErrorMessages.NONCE_MISMATCH, authenticationContext);
                    throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.NONCE_MISMATCH.getCode(), OIDCErrorConstants.ErrorMessages.NONCE_MISMATCH.getMessage());
                }
            }
            String authenticatedUserId = getAuthenticatedUserId(authenticationContext, requestAccessToken, idTokenClaims);
            String multiAttributeSeparator = getMultiAttributeSeparator(authenticationContext, authenticatedUserId);
            idTokenClaims.entrySet().stream().filter(entry -> {
                return !ArrayUtils.contains(NON_USER_ATTRIBUTES, entry.getKey());
            }).forEach(entry2 -> {
                buildClaimMappings(hashMap, entry2, multiAttributeSeparator);
            });
            createFederateAuthenticatedUserFromSubjectIdentifier = AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(authenticatedUserId);
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("The IdToken is null");
            }
            createFederateAuthenticatedUserFromSubjectIdentifier = AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(getAuthenticateUser(authenticationContext, hashMap2, requestAccessToken));
        }
        hashMap.putAll(getSubjectAttributes(requestAccessToken, authenticatorProperties));
        createFederateAuthenticatedUserFromSubjectIdentifier.setUserAttributes(hashMap);
        authenticationContext.setSubject(createFederateAuthenticatedUserFromSubjectIdentifier);
        if (!LoggerUtils.isDiagnosticLogsEnabled() || diagnosticLogBuilder2 == null) {
            return;
        }
        diagnosticLogBuilder2.resultMessage("Outbound OIDC authentication response processed successfully.").resultStatus(DiagnosticLog.ResultStatus.SUCCESS);
        diagnosticLogBuilder2.inputParam("user attributes (local claim : remote claim)", getUserAttributeClaimMappingList(createFederateAuthenticatedUserFromSubjectIdentifier));
        LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder2);
    }

    public String getI18nKey() {
        return OIDCAuthenticatorConstants.AUTHENTICATOR_OIDC;
    }

    protected String mapIdToken(AuthenticationContext authenticationContext, HttpServletRequest httpServletRequest, OAuthClientResponse oAuthClientResponse) throws AuthenticationFailedException {
        return oAuthClientResponse.getParam(OIDCAuthenticatorConstants.ID_TOKEN);
    }

    protected void mapAccessToken(HttpServletRequest httpServletRequest, AuthenticationContext authenticationContext, OAuthClientResponse oAuthClientResponse) throws AuthenticationFailedException {
        String param = oAuthClientResponse.getParam(OIDCAuthenticatorConstants.ACCESS_TOKEN);
        if (StringUtils.isBlank(param)) {
            setAuthenticatorMessageToContext(OIDCErrorConstants.ErrorMessages.ACCESS_TOKEN_EMPTY_OR_NULL, authenticationContext);
            throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.ACCESS_TOKEN_EMPTY_OR_NULL.getCode(), OIDCErrorConstants.ErrorMessages.ACCESS_TOKEN_EMPTY_OR_NULL.getMessage());
        }
        authenticationContext.setProperty(OIDCAuthenticatorConstants.ACCESS_TOKEN, param);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v18, types: [java.util.List] */
    private void addFederatedTokensToContext(AuthenticationContext authenticationContext, OAuthClientResponse oAuthClientResponse) {
        Object property = authenticationContext.getProperty("federated_tokens");
        ArrayList arrayList = property instanceof List ? (List) property : new ArrayList();
        String federatedAuthenticatorName = getFederatedAuthenticatorName(authenticationContext);
        FederatedToken federatedToken = new FederatedToken(federatedAuthenticatorName, oAuthClientResponse.getParam(OIDCAuthenticatorConstants.ACCESS_TOKEN));
        federatedToken.setRefreshToken(oAuthClientResponse.getParam(OIDCAuthenticatorConstants.REFRESH_TOKEN));
        federatedToken.setTokenValidityPeriod(oAuthClientResponse.getParam(OIDCAuthenticatorConstants.EXPIRES_IN));
        federatedToken.setScope(oAuthClientResponse.getParam(OIDCAuthenticatorConstants.SCOPE));
        arrayList.add(federatedToken);
        authenticationContext.setProperty("federated_tokens", arrayList);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Federated tokens added to the authentication context, IDP: " + federatedAuthenticatorName);
        }
    }

    private Set<String> validateScopeForTokenSharing(String str, String str2) {
        if (StringUtils.isBlank(str)) {
            if (!LOG.isDebugEnabled()) {
                return null;
            }
            LOG.debug("No scopes are allowed for federated token sharing.");
            return null;
        }
        if (StringUtils.isBlank(str2)) {
            if (!LOG.isDebugEnabled()) {
                return null;
            }
            LOG.debug("No scopes are requested for federated token sharing.");
            return null;
        }
        HashSet hashSet = new HashSet(Arrays.asList(str.split(SPACE_REGEX)));
        HashSet hashSet2 = new HashSet(new HashSet(Arrays.asList(str2.split(SPACE_REGEX))));
        hashSet2.retainAll(hashSet);
        return hashSet2;
    }

    protected OAuthClientResponse requestAccessToken(HttpServletRequest httpServletRequest, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        if (!isTrustedTokenIssuer(authenticationContext) || !isNativeSDKBasedFederationCall(httpServletRequest)) {
            try {
                OAuthClientResponse oauthResponse = getOauthResponse(new OAuthClient(new URLConnectionClient()), getAccessTokenRequest(authenticationContext, OAuthAuthzResponse.oauthCodeAuthzResponse(httpServletRequest)));
                if (oauthResponse != null) {
                    processAuthenticatedUserScopes(authenticationContext, oauthResponse.getParam(OIDCAuthenticatorConstants.SCOPE));
                }
                return oauthResponse;
            } catch (OAuthProblemException e) {
                throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.AUTHENTICATION_PROCESS_FAILED.getCode(), OIDCErrorConstants.ErrorMessages.AUTHENTICATION_PROCESS_FAILED.getMessage(), authenticationContext.getSubject(), e);
            }
        }
        String parameter = httpServletRequest.getParameter(OIDCAuthenticatorConstants.ID_TOKEN_PARAM);
        String parameter2 = httpServletRequest.getParameter(OIDCAuthenticatorConstants.ACCESS_TOKEN_PARAM);
        try {
            validateJWTToken(authenticationContext, parameter);
            NativeSDKBasedFederatedOAuthClientResponse nativeSDKBasedFederatedOAuthClientResponse = new NativeSDKBasedFederatedOAuthClientResponse();
            nativeSDKBasedFederatedOAuthClientResponse.setAccessToken(parameter2);
            nativeSDKBasedFederatedOAuthClientResponse.setIdToken(parameter);
            return nativeSDKBasedFederatedOAuthClientResponse;
        } catch (ParseException | IdentityOAuth2ClientException | JOSEException e2) {
            throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.INVALID_JWT_TOKEN.getCode(), OIDCErrorConstants.ErrorMessages.INVALID_JWT_TOKEN.getMessage());
        } catch (IdentityOAuth2Exception e3) {
            throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.JWT_TOKEN_VALIDATION_FAILED.getCode(), OIDCErrorConstants.ErrorMessages.JWT_TOKEN_VALIDATION_FAILED.getMessage(), e3);
        }
    }

    private void validateJWTToken(AuthenticationContext authenticationContext, String str) throws ParseException, AuthenticationFailedException, JOSEException, IdentityOAuth2Exception {
        SignedJWT parse = SignedJWT.parse(str);
        JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
        OIDCTokenValidationUtil.validateIssuerClaim(jWTClaimsSet);
        String tenantDomain = authenticationContext.getTenantDomain();
        IdentityProvider identityProvider = getIdentityProvider(OIDCTokenValidationUtil.getIssuer(jWTClaimsSet), tenantDomain);
        OIDCTokenValidationUtil.validateSignature(parse, identityProvider);
        OIDCTokenValidationUtil.validateAudience(jWTClaimsSet.getAudience(), identityProvider, tenantDomain);
    }

    private IdentityProvider getIdentityProvider(String str, String str2) throws AuthenticationFailedException {
        OIDCErrorConstants.ErrorMessages errorMessages = OIDCErrorConstants.ErrorMessages.NO_REGISTERED_IDP_FOR_ISSUER;
        try {
            IdentityProvider idPByMetadataProperty = IdentityProviderManager.getInstance().getIdPByMetadataProperty("idpIssuerName", str, str2, false);
            if (idPByMetadataProperty == null) {
                idPByMetadataProperty = IdentityProviderManager.getInstance().getIdPByName(str, str2);
            }
            if (idPByMetadataProperty != null && StringUtils.equalsIgnoreCase(idPByMetadataProperty.getIdentityProviderName(), OIDCAuthenticatorConstants.BackchannelLogout.DEFAULT_IDP_NAME)) {
                idPByMetadataProperty = getResidentIDPForIssuer(str2, str);
                if (idPByMetadataProperty == null) {
                    throw new AuthenticationFailedException(errorMessages.getCode(), errorMessages.getMessage());
                }
            }
            return idPByMetadataProperty;
        } catch (IdentityProviderManagementException e) {
            throw new AuthenticationFailedException(errorMessages.getCode(), errorMessages.getMessage(), e);
        }
    }

    private IdentityProvider getResidentIDPForIssuer(String str, String str2) throws AuthenticationFailedException {
        try {
            IdentityProvider residentIdP = IdentityProviderManager.getInstance().getResidentIdP(str);
            FederatedAuthenticatorConfig federatedAuthenticator = IdentityApplicationManagementUtil.getFederatedAuthenticator(residentIdP.getFederatedAuthenticatorConfigs(), OIDCAuthenticatorConstants.AUTHENTICATOR_FRIENDLY_NAME);
            if (str2.equals(federatedAuthenticator != null ? IdentityApplicationManagementUtil.getProperty(federatedAuthenticator.getProperties(), OIDCAuthenticatorConstants.BackchannelLogout.OIDC_IDP_ENTITY_ID).getValue() : "")) {
                return residentIdP;
            }
            return null;
        } catch (IdentityProviderManagementException e) {
            throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.GETTING_RESIDENT_IDP_FAILED.getCode() + " - " + String.format(OIDCErrorConstants.ErrorMessages.GETTING_RESIDENT_IDP_FAILED.getMessage(), str));
        }
    }

    protected void processAuthenticatedUserScopes(AuthenticationContext authenticationContext, String str) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("Scopes in token response: %s", str));
        }
    }

    protected void initiateLogoutRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws LogoutFailedException {
        if (!isLogoutEnabled(authenticationContext)) {
            super.initiateLogoutRequest(httpServletRequest, httpServletResponse, authenticationContext);
            return;
        }
        String logoutUrl = getLogoutUrl(authenticationContext.getAuthenticatorProperties());
        HashMap hashMap = new HashMap();
        String idTokenHint = getIdTokenHint(authenticationContext);
        if (StringUtils.isNotBlank(idTokenHint)) {
            hashMap.put(OIDCAuthenticatorConstants.ID_TOKEN_HINT, idTokenHint);
        }
        hashMap.put(OIDCAuthenticatorConstants.POST_LOGOUT_REDIRECT_URI, getCallbackUrl(authenticationContext.getAuthenticatorProperties(), authenticationContext));
        hashMap.put(OIDCAuthenticatorConstants.OAUTH2_PARAM_STATE, getStateParameter(httpServletRequest, authenticationContext, authenticationContext.getAuthenticatorProperties()));
        try {
            httpServletResponse.sendRedirect(FrameworkUtils.buildURLWithQueryParams(logoutUrl, hashMap));
        } catch (IOException e) {
            throw new LogoutFailedException("Error occurred while initiating the logout request to IdP: " + authenticationContext.getExternalIdP().getName() + " of tenantDomain: " + authenticationContext.getTenantDomain(), e);
        }
    }

    private boolean isLogoutEnabled(AuthenticationContext authenticationContext) {
        return StringUtils.isNotBlank(getLogoutUrl(authenticationContext.getAuthenticatorProperties()));
    }

    private String getIdTokenHint(AuthenticationContext authenticationContext) {
        if (authenticationContext.getStateInfo() instanceof OIDCStateInfo) {
            return ((OIDCStateInfo) authenticationContext.getStateInfo()).getIdTokenHint();
        }
        return null;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v23, types: [java.util.Set] */
    private Map<String, Object> getIdTokenClaims(AuthenticationContext authenticationContext, String str) {
        authenticationContext.setProperty(OIDCAuthenticatorConstants.ID_TOKEN, str);
        byte[] decodeBase64 = Base64.decodeBase64(str.split("\\.")[1].getBytes());
        HashSet<Map.Entry> hashSet = new HashSet();
        try {
            hashSet = JSONObjectUtils.parseJSONObject(new String(decodeBase64)).entrySet();
        } catch (ParseException e) {
            setAuthenticatorMessageToContext(OIDCErrorConstants.ErrorMessages.JWT_TOKEN_PARSING_FAILED, authenticationContext);
            LOG.error("Error occurred while parsing JWT provided by federated IDP: ", e);
        }
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : hashSet) {
            hashMap.put((String) entry.getKey(), entry.getValue());
        }
        return hashMap;
    }

    private String getMultiAttributeSeparator(AuthenticationContext authenticationContext, String str) throws AuthenticationFailedException {
        String str2 = null;
        try {
            String tenantDomain = authenticationContext.getTenantDomain();
            if (StringUtils.isBlank(tenantDomain)) {
                tenantDomain = "carbon.super";
            }
            UserRealm tenantUserRealm = OpenIDConnectAuthenticatorDataHolder.getInstance().getRealmService().getTenantUserRealm(OpenIDConnectAuthenticatorDataHolder.getInstance().getRealmService().getTenantManager().getTenantId(tenantDomain));
            if (tenantUserRealm != null) {
                str2 = tenantUserRealm.getUserStoreManager().getRealmConfiguration().getUserStoreProperty("MultiAttributeSeparator");
                if (LOG.isDebugEnabled()) {
                    LOG.debug("For the claim mapping: " + str2 + " is used as the attributeSeparator in tenant: " + tenantDomain);
                }
            }
            return str2;
        } catch (UserStoreException e) {
            throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.RETRIEVING_MULTI_ATTRIBUTE_SEPARATOR_FAILED.getCode(), OIDCErrorConstants.ErrorMessages.RETRIEVING_MULTI_ATTRIBUTE_SEPARATOR_FAILED.getMessage(), AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(str), e);
        }
    }

    private String getAuthenticatedUserId(AuthenticationContext authenticationContext, OAuthClientResponse oAuthClientResponse, Map<String, Object> map) throws AuthenticationFailedException {
        String authenticateUser;
        if (isUserIdFoundAmongClaims(authenticationContext)) {
            authenticateUser = getSubjectFromUserIDClaimURI(authenticationContext, map);
            if (!StringUtils.isNotBlank(authenticateUser)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Subject claim could not be found amongst id_token claims. Defaulting to the 'sub' attribute in id_token as authenticated user id.");
                }
                authenticateUser = getAuthenticateUser(authenticationContext, map, oAuthClientResponse);
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("Authenticated user id: " + authenticateUser + " was found among id_token claims.");
            }
        } else {
            authenticateUser = getAuthenticateUser(authenticationContext, map, oAuthClientResponse);
            if (LOG.isDebugEnabled()) {
                LOG.debug("Authenticated user id: " + authenticateUser + " retrieved from the 'sub' claim.");
            }
        }
        if (authenticateUser != null) {
            return authenticateUser;
        }
        setAuthenticatorMessageToContext(OIDCErrorConstants.ErrorMessages.USER_ID_NOT_FOUND_IN_ID_TOKEN_SENT_BY_FEDERATED_IDP, authenticationContext);
        throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.USER_ID_NOT_FOUND_IN_ID_TOKEN_SENT_BY_FEDERATED_IDP.getCode(), OIDCErrorConstants.ErrorMessages.USER_ID_NOT_FOUND_IN_ID_TOKEN_SENT_BY_FEDERATED_IDP.getMessage());
    }

    private boolean isUserIdFoundAmongClaims(AuthenticationContext authenticationContext) {
        return Boolean.parseBoolean((String) authenticationContext.getAuthenticatorProperties().get("IsUserIdInClaims"));
    }

    protected void buildClaimMappings(Map<ClaimMapping, String> map, Map.Entry<String, Object> entry, String str) {
        StringBuilder sb = null;
        if (StringUtils.isBlank(str)) {
            str = ",,,";
        }
        if (entry.getValue() instanceof JSONArray) {
            JSONArray jSONArray = (JSONArray) entry.getValue();
            if (jSONArray != null && !jSONArray.isEmpty()) {
                Iterator it = jSONArray.iterator();
                while (it.hasNext()) {
                    if (sb == null) {
                        sb = new StringBuilder(it.next().toString());
                    } else {
                        sb.append(str).append(it.next().toString());
                    }
                }
            }
        } else {
            sb = entry.getValue() != null ? new StringBuilder(entry.getValue().toString()) : new StringBuilder();
        }
        map.put(ClaimMapping.build(entry.getKey(), entry.getKey(), (String) null, false), sb != null ? sb.toString() : "");
        if (LOG.isDebugEnabled() && IdentityUtil.isTokenLoggable("UserClaims")) {
            LOG.debug("Adding claim mapping : " + entry.getKey() + " <> " + entry.getKey() + " : " + ((Object) sb));
        }
    }

    protected OAuthClientRequest getAccessTokenRequest(AuthenticationContext authenticationContext, OAuthAuthzResponse oAuthAuthzResponse) throws AuthenticationFailedException {
        OAuthClientRequest buildBodyMessage;
        Map<String, String> authenticatorProperties = authenticationContext.getAuthenticatorProperties();
        String str = authenticatorProperties.get("ClientId");
        String str2 = authenticatorProperties.get("ClientSecret");
        String tokenEndpoint = getTokenEndpoint(authenticatorProperties);
        boolean parseBoolean = Boolean.parseBoolean(authenticatorProperties.get(OIDCAuthenticatorConstants.IS_PKCE_ENABLED));
        String str3 = (String) authenticationContext.getProperty(OIDCAuthenticatorConstants.PKCE_CODE_VERIFIER);
        String callbackUrlFromInitialRequestParamMap = getCallbackUrlFromInitialRequestParamMap(authenticationContext);
        if (StringUtils.isBlank(callbackUrlFromInitialRequestParamMap)) {
            callbackUrlFromInitialRequestParamMap = getCallbackUrl(authenticatorProperties, authenticationContext);
        }
        try {
            if (Boolean.parseBoolean(authenticatorProperties.get(OIDCAuthenticatorConstants.IS_BASIC_AUTH_ENABLED))) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Authenticating to token endpoint: " + tokenEndpoint + " with HTTP basic authentication scheme.");
                }
                OAuthClientRequest.TokenRequestBuilder code = OAuthClientRequest.tokenLocation(tokenEndpoint).setGrantType(GrantType.AUTHORIZATION_CODE).setRedirectURI(callbackUrlFromInitialRequestParamMap).setCode(oAuthAuthzResponse.getCode());
                if (parseBoolean) {
                    if (StringUtils.isEmpty(str3)) {
                        throw new AuthenticationFailedException("PKCE is enabled, but the code verifier is not found.");
                    }
                    code.setParameter("code_verifier", str3);
                }
                buildBodyMessage = code.buildBodyMessage();
                buildBodyMessage.addHeader("Authorization", "Basic " + new String(Base64.encodeBase64((str + ":" + str2).getBytes())));
            } else {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Authenticating to token endpoint: " + tokenEndpoint + " including client credentials in request body.");
                }
                OAuthClientRequest.TokenRequestBuilder code2 = OAuthClientRequest.tokenLocation(tokenEndpoint).setGrantType(GrantType.AUTHORIZATION_CODE).setClientId(str).setClientSecret(str2).setRedirectURI(callbackUrlFromInitialRequestParamMap).setCode(oAuthAuthzResponse.getCode());
                if (parseBoolean) {
                    if (StringUtils.isEmpty(str3)) {
                        throw new AuthenticationFailedException("PKCE is enabled, but the code verifier is not found.");
                    }
                    code2.setParameter("code_verifier", str3);
                }
                buildBodyMessage = code2.buildBodyMessage();
            }
            authenticationContext.removeProperty(OIDCAuthenticatorConstants.PKCE_CODE_VERIFIER);
            if (buildBodyMessage != null) {
                buildBodyMessage.addHeader(OIDCAuthenticatorConstants.HTTP_ORIGIN_HEADER, ServiceURLBuilder.create().build().getAbsolutePublicURL());
            }
            return buildBodyMessage;
        } catch (OAuthSystemException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format(OIDCErrorConstants.ErrorMessages.BUILDING_ACCESS_TOKEN_REQUEST_FAILED.getMessage(), tokenEndpoint), e);
            }
            setAuthenticatorMessageToContext(OIDCErrorConstants.ErrorMessages.BUILDING_ACCESS_TOKEN_REQUEST_FAILED, authenticationContext);
            throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.BUILDING_ACCESS_TOKEN_REQUEST_FAILED.getCode(), e);
        } catch (URLBuilderException e2) {
            throw new RuntimeException("Error occurred while building URL in tenant qualified mode.", e2);
        }
    }

    protected OAuthClientResponse getOauthResponse(OAuthClient oAuthClient, OAuthClientRequest oAuthClientRequest) throws AuthenticationFailedException {
        try {
            return oAuthClient.accessToken(oAuthClientRequest);
        } catch (OAuthSystemException | OAuthProblemException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(OIDCErrorConstants.ErrorMessages.REQUESTING_ACCESS_TOKEN_FAILED.getMessage(), e);
            }
            throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.REQUESTING_ACCESS_TOKEN_FAILED.getCode(), e.getMessage(), e);
        }
    }

    public String getContextIdentifier(HttpServletRequest httpServletRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Inside OpenIDConnectAuthenticator.getContextIdentifier()");
        }
        if (FrameworkUtils.isAPIBasedAuthenticationFlow(httpServletRequest)) {
            return httpServletRequest.getParameter(OIDCAuthenticatorConstants.SESSION_DATA_KEY_PARAM);
        }
        String parameter = httpServletRequest.getParameter(OIDCAuthenticatorConstants.OAUTH2_PARAM_STATE);
        if (parameter != null) {
            return parameter.split(COMMA_DELIMITER)[0];
        }
        return null;
    }

    private String getLoginType(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(OIDCAuthenticatorConstants.OAUTH2_PARAM_STATE);
        if (parameter == null) {
            return null;
        }
        String[] split = parameter.split(COMMA_DELIMITER);
        if (split.length > 1) {
            return split[1];
        }
        return null;
    }

    public String getFriendlyName() {
        return OIDCAuthenticatorConstants.AUTHENTICATOR_FRIENDLY_NAME;
    }

    public String getName() {
        return OIDCAuthenticatorConstants.AUTHENTICATOR_NAME;
    }

    public String getClaimDialectURI() {
        return OIDC_DIALECT;
    }

    public List<Property> getConfigurationProperties() {
        ArrayList arrayList = new ArrayList();
        Property property = new Property();
        property.setName("ClientId");
        property.setDisplayName("Client Id");
        property.setRequired(true);
        property.setDescription("Enter OAuth2/OpenID Connect client identifier value");
        property.setType("string");
        property.setDisplayOrder(1);
        arrayList.add(property);
        Property property2 = new Property();
        property2.setName("ClientSecret");
        property2.setDisplayName("Client Secret");
        property2.setRequired(true);
        property2.setDescription("Enter OAuth2/OpenID Connect client secret value");
        property2.setType("string");
        property2.setDisplayOrder(2);
        property2.setConfidential(true);
        arrayList.add(property2);
        Property property3 = new Property();
        property3.setName(OIDCAuthenticatorConstants.OAUTH2_AUTHZ_URL);
        property3.setDisplayName("Authorization Endpoint URL");
        property3.setRequired(true);
        property3.setDescription("Enter OAuth2/OpenID Connect authorization endpoint URL value");
        property3.setType("string");
        property3.setDisplayOrder(3);
        arrayList.add(property3);
        Property property4 = new Property();
        property4.setName(OIDCAuthenticatorConstants.OAUTH2_TOKEN_URL);
        property4.setDisplayName("Token Endpoint URL");
        property4.setRequired(true);
        property4.setDescription("Enter OAuth2/OpenID Connect token endpoint URL value");
        property4.setType("string");
        property4.setDisplayOrder(4);
        arrayList.add(property4);
        Property property5 = new Property();
        property5.setName("callbackUrl");
        property5.setDisplayName("Callback Url");
        property5.setRequired(false);
        property5.setDescription("Enter value corresponding to callback url");
        property5.setType("string");
        property5.setDisplayOrder(5);
        arrayList.add(property5);
        Property property6 = new Property();
        property6.setName("UserInfoUrl");
        property6.setDisplayName("Userinfo Endpoint URL");
        property6.setRequired(false);
        property6.setDescription("Enter value corresponding to userinfo endpoint url");
        property6.setType("string");
        property6.setDisplayOrder(6);
        arrayList.add(property6);
        Property property7 = new Property();
        property7.setName("IsUserIdInClaims");
        property7.setDisplayName("OpenID Connect User ID Location");
        property7.setRequired(false);
        property7.setDescription("Specifies the location to find the user identifier in the ID token assertion");
        property7.setType(TYPE_BOOLEAN);
        property7.setDisplayOrder(7);
        arrayList.add(property7);
        Property property8 = new Property();
        property8.setName("Scopes");
        property8.setDisplayName("Scopes");
        property8.setRequired(false);
        property8.setDescription("A list of scopes");
        property8.setDefaultValue(OIDCAuthenticatorConstants.OAUTH_OIDC_SCOPE);
        property8.setType("string");
        property8.setDisplayOrder(8);
        arrayList.add(property8);
        Property property9 = new Property();
        property9.setName("commonAuthQueryParams");
        property9.setDisplayName("Additional Query Parameters");
        property9.setRequired(false);
        property9.setDescription("Additional query parameters. e.g: paramName1=value1");
        property9.setType("string");
        property9.setDisplayOrder(9);
        arrayList.add(property9);
        Property property10 = new Property();
        property10.setName(OIDCAuthenticatorConstants.IS_BASIC_AUTH_ENABLED);
        property10.setDisplayName("Enable HTTP basic auth for client authentication");
        property10.setRequired(false);
        property10.setDescription("Specifies that HTTP basic authentication should be used for client authentication, else client credentials will be included in the request body");
        property10.setType(TYPE_BOOLEAN);
        property10.setDisplayOrder(10);
        arrayList.add(property10);
        Property property11 = new Property();
        property11.setName(IS_PKCE_ENABLED_NAME);
        property11.setDisplayName(IS_PKCE_ENABLED_DISPLAY_NAME);
        property11.setRequired(false);
        property11.setDescription(IS_PKCE_ENABLED_DESCRIPTION);
        property11.setType(TYPE_BOOLEAN);
        property11.setDisplayOrder(10);
        arrayList.add(property11);
        return arrayList;
    }

    public boolean isAPIBasedAuthenticationSupported() {
        return true;
    }

    public Optional<AuthenticatorData> getAuthInitiationData(AuthenticationContext authenticationContext) {
        AuthenticatorData authenticatorData = new AuthenticatorData();
        authenticatorData.setName(getName());
        authenticatorData.setDisplayName(getFriendlyName());
        authenticatorData.setI18nKey(getI18nKey());
        authenticatorData.setIdp(authenticationContext.getExternalIdP().getIdPName());
        ArrayList arrayList = new ArrayList();
        if (isTrustedTokenIssuer(authenticationContext)) {
            arrayList.add(OIDCAuthenticatorConstants.ACCESS_TOKEN_PARAM);
            arrayList.add(OIDCAuthenticatorConstants.ID_TOKEN_PARAM);
            authenticatorData.setPromptType(FrameworkConstants.AuthenticatorPromptType.INTERNAL_PROMPT);
            authenticatorData.setAdditionalData(getAdditionalData(authenticationContext, true));
        } else {
            arrayList.add(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE);
            arrayList.add(OIDCAuthenticatorConstants.OAUTH2_PARAM_STATE);
            authenticatorData.setPromptType(FrameworkConstants.AuthenticatorPromptType.REDIRECTION_PROMPT);
            authenticatorData.setAdditionalData(getAdditionalData(authenticationContext, false));
        }
        authenticatorData.setRequiredParams(arrayList);
        if (authenticationContext.getProperty(AUTHENTICATOR_MESSAGE) != null) {
            authenticatorData.setMessage((AuthenticatorMessage) authenticationContext.getProperty(AUTHENTICATOR_MESSAGE));
        }
        return Optional.of(authenticatorData);
    }

    private static AdditionalData getAdditionalData(AuthenticationContext authenticationContext, boolean z) {
        AdditionalData additionalData = new AdditionalData();
        if (z) {
            HashMap hashMap = new HashMap();
            String str = (String) authenticationContext.getProperty(OIDCAuthenticatorConstants.OIDC_FEDERATION_NONCE);
            if (StringUtils.isNotBlank(str)) {
                hashMap.put(OIDCAuthenticatorConstants.Claim.NONCE, str);
            }
            hashMap.put(OIDCAuthenticatorConstants.CLIENT_ID_PARAM, (String) authenticationContext.getAuthenticatorProperties().get("ClientId"));
            hashMap.put(OIDCAuthenticatorConstants.SCOPE, (String) authenticationContext.getProperty("OpenIDConnectAuthenticator_scope_param"));
            additionalData.setAdditionalAuthenticationParams(hashMap);
        } else {
            additionalData.setRedirectUrl((String) authenticationContext.getProperty("OpenIDConnectAuthenticator_redirect_url"));
            HashMap hashMap2 = new HashMap();
            hashMap2.put(OIDCAuthenticatorConstants.OAUTH2_PARAM_STATE, (String) authenticationContext.getProperty("OpenIDConnectAuthenticator_state_param"));
            additionalData.setAdditionalAuthenticationParams(hashMap2);
        }
        return additionalData;
    }

    protected String getSubjectFromUserIDClaimURI(AuthenticationContext authenticationContext) {
        String str = null;
        try {
            str = FrameworkUtils.getFederatedSubjectFromClaims(authenticationContext, getClaimDialectURI());
        } catch (Exception e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Couldn't find the subject claim from claim mappings ", e);
            }
        }
        return str;
    }

    protected String getSubjectFromUserIDClaimURI(AuthenticationContext authenticationContext, Map<String, Object> map) throws AuthenticationFailedException {
        boolean useDefaultLocalIdpDialect = authenticationContext.getExternalIdP().useDefaultLocalIdpDialect();
        String userIdClaimUri = authenticationContext.getExternalIdP().getUserIdClaimUri();
        String tenantDomain = authenticationContext.getTenantDomain();
        String str = null;
        try {
            if (!useDefaultLocalIdpDialect) {
                ClaimMapping[] claimMappings = authenticationContext.getExternalIdP().getClaimMappings();
                if (!ArrayUtils.isEmpty(claimMappings)) {
                    int length = claimMappings.length;
                    int i = 0;
                    while (true) {
                        if (i >= length) {
                            break;
                        }
                        ClaimMapping claimMapping = claimMappings[i];
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("Evaluating " + claimMapping.getRemoteClaim().getClaimUri() + " against " + userIdClaimUri);
                        }
                        if (StringUtils.equals(claimMapping.getRemoteClaim().getClaimUri(), userIdClaimUri)) {
                            str = getUserIdClaimUriInOIDCDialect(claimMapping.getLocalClaim().getClaimUri(), tenantDomain);
                            break;
                        }
                        i++;
                    }
                }
            } else if (StringUtils.isNotBlank(userIdClaimUri)) {
                str = getUserIdClaimUriInOIDCDialect(userIdClaimUri, tenantDomain);
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("User ID Claim URI is not configured for IDP: " + authenticationContext.getExternalIdP().getIdPName() + ". Cannot retrieve subject using user id claim URI.");
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("using userIdClaimUriInOIDCDialect to get subject from idTokenClaims: " + str);
            }
            Object obj = map.get(str);
            if (obj instanceof String) {
                return (String) obj;
            }
            if (obj != null) {
                LOG.warn("Unable to map subject claim (non-String type): " + obj);
            }
            if (!LOG.isDebugEnabled()) {
                return null;
            }
            LOG.debug("Couldn't find the subject claim among id_token claims for IDP: " + authenticationContext.getExternalIdP().getIdPName());
            return null;
        } catch (ClaimMetadataException e) {
            setAuthenticatorMessageToContext(OIDCErrorConstants.ErrorMessages.EXECUTING_CLAIM_TRANSFORMATION_FOR_IDP_FAILED, authenticationContext);
            throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.EXECUTING_CLAIM_TRANSFORMATION_FOR_IDP_FAILED.getCode(), String.format(OIDCErrorConstants.ErrorMessages.EXECUTING_CLAIM_TRANSFORMATION_FOR_IDP_FAILED.getMessage(), authenticationContext.getExternalIdP().getIdPName()), e);
        }
    }

    private String getUserIdClaimUriInOIDCDialect(String str, String str2) throws ClaimMetadataException {
        ExternalClaim externalClaim = null;
        for (ExternalClaim externalClaim2 : OpenIDConnectAuthenticatorDataHolder.getInstance().getClaimMetadataManagementService().getExternalClaims(OIDC_DIALECT, str2)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Evaluating " + str + " against " + externalClaim2.getMappedLocalClaim());
            }
            if (str.equals(externalClaim2.getMappedLocalClaim())) {
                externalClaim = externalClaim2;
            }
        }
        return externalClaim != null ? externalClaim.getClaimURI() : null;
    }

    protected String sendRequest(String str, String str2) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Claim URL: " + str);
        }
        if (str == null) {
            return "";
        }
        StringBuilder sb = new StringBuilder();
        BufferedReader bufferedReader = null;
        try {
            HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(str).openConnection();
            httpURLConnection.setRequestMethod("GET");
            httpURLConnection.setRequestProperty("Authorization", "Bearer " + str2);
            bufferedReader = new BufferedReader(new InputStreamReader(httpURLConnection.getInputStream()));
            for (String readLine = bufferedReader.readLine(); readLine != null; readLine = bufferedReader.readLine()) {
                sb.append(readLine).append("\n");
            }
            if (bufferedReader != null) {
                bufferedReader.close();
            }
            if (LOG.isDebugEnabled() && IdentityUtil.isTokenLoggable("UserIdToken")) {
                LOG.debug("response: " + sb.toString());
            }
            return sb.toString();
        } catch (Throwable th) {
            if (bufferedReader != null) {
                bufferedReader.close();
            }
            throw th;
        }
    }

    protected String getComponentId() {
        return OIDCAuthenticatorConstants.LogConstants.OUTBOUND_AUTH_OIDC_SERVICE;
    }

    private String interpretQueryString(AuthenticationContext authenticationContext, String str, Map<String, String[]> map) {
        if (StringUtils.isBlank(str)) {
            return null;
        }
        if (str.contains(OIDCAuthenticatorConstants.AUTH_PARAM)) {
            str = getQueryStringWithAuthenticatorParam(authenticationContext, str);
        }
        Matcher matcher = pattern.matcher(str);
        while (matcher.find()) {
            String group = matcher.group(1);
            String[] strArr = map.get(group);
            String str2 = "";
            if (strArr != null && strArr.length > 0) {
                str2 = strArr[0];
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("InterpretQueryString name: " + group + ", value: " + str2);
            }
            str = str.replaceAll("\\$\\{" + group + "}", Matcher.quoteReplacement(str2));
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Output QueryString: " + str);
        }
        return str;
    }

    private String getEvaluatedQueryString(Map<String, String> map) throws UnsupportedEncodingException {
        StringBuilder sb = new StringBuilder();
        if (map.isEmpty()) {
            return sb.toString();
        }
        for (Map.Entry<String, String> entry : map.entrySet()) {
            sb.append((Object) entry.getKey()).append(OIDCAuthenticatorConstants.EQUAL_SIGN).append(URLEncoder.encode(entry.getValue().toString(), StandardCharsets.UTF_8.toString())).append(OIDCAuthenticatorConstants.AMPERSAND_SIGN);
        }
        return sb.substring(0, sb.length() - 1);
    }

    private String getQueryStringWithAuthenticatorParam(AuthenticationContext authenticationContext, String str) {
        Matcher matcher = Pattern.compile(OIDCAuthenticatorConstants.DYNAMIC_AUTH_PARAMS_LOOKUP_REGEX).matcher(str);
        String str2 = "";
        while (matcher.find()) {
            String group = matcher.group(1);
            if (StringUtils.isNotEmpty((String) getRuntimeParams(authenticationContext).get(group))) {
                str2 = (String) getRuntimeParams(authenticationContext).get(group);
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("InterpretQueryString with authenticator param: " + group + ", value: " + str2);
            }
            str = str.replaceAll("\\$authparam\\{" + group + "}", Matcher.quoteReplacement(str2));
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Output QueryString with Authenticator Params : " + str);
        }
        return str;
    }

    private String getCallbackUrlFromInitialRequestParamMap(AuthenticationContext authenticationContext) {
        Map map = (Map) authenticationContext.getProperty(OIDCAuthenticatorConstants.OIDC_QUERY_PARAM_MAP_PROPERTY_KEY);
        if (MapUtils.isNotEmpty(map) && map.containsKey(OIDCAuthenticatorConstants.REDIRECT_URI)) {
            return (String) map.get(OIDCAuthenticatorConstants.REDIRECT_URI);
        }
        return null;
    }

    private AuthenticatorFlowStatus processLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws LogoutFailedException {
        try {
            if (canHandle(httpServletRequest) && StringUtils.isEmpty(httpServletRequest.getParameter("type")) && authenticationContext.getExternalIdP() != null && authenticationContext.getExternalIdP().getIdentityProvider() != null) {
                processLogoutResponse(httpServletRequest, httpServletResponse, authenticationContext);
                return AuthenticatorFlowStatus.SUCCESS_COMPLETED;
            }
            authenticationContext.setCurrentAuthenticator(getName());
            initiateLogoutRequest(httpServletRequest, httpServletResponse, authenticationContext);
            return AuthenticatorFlowStatus.INCOMPLETE;
        } catch (UnsupportedOperationException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Logout is disabled during social logout or logout url not defined in idp configuration. Skipping logout and ignoring UnsupportedOperationException.", e);
            }
            return AuthenticatorFlowStatus.SUCCESS_COMPLETED;
        }
    }

    protected Map<String, String> getApplicationDetails(AuthenticationContext authenticationContext) {
        HashMap hashMap = new HashMap();
        FrameworkUtils.getApplicationResourceId(authenticationContext).ifPresent(str -> {
            hashMap.put("app id", str);
        });
        FrameworkUtils.getApplicationName(authenticationContext).ifPresent(str2 -> {
            hashMap.put("application name", str2);
        });
        return hashMap;
    }

    protected String extractScopesFromURL(String str) throws UnsupportedEncodingException {
        if (!StringUtils.isNotBlank(str)) {
            return "";
        }
        String[] split = str.split(OIDCAuthenticatorConstants.QUESTION_SIGN, 2);
        if (split.length != 2) {
            return "";
        }
        for (String str2 : split[1].split(OIDCAuthenticatorConstants.AMPERSAND_SIGN)) {
            String[] split2 = str2.split(OIDCAuthenticatorConstants.EQUAL_SIGN, 2);
            if (split2.length == 2 && OIDCAuthenticatorConstants.SCOPE.equals(split2[0])) {
                return URLDecoder.decode(split2[1], "UTF-8");
            }
        }
        return "";
    }

    private static List<String> getUserAttributeClaimMappingList(AuthenticatedUser authenticatedUser) {
        return (List) authenticatedUser.getUserAttributes().keySet().stream().map(claimMapping -> {
            return claimMapping.getLocalClaim().getClaimUri() + " : " + claimMapping.getRemoteClaim().getClaimUri();
        }).collect(Collectors.toList());
    }

    private boolean isTrustedTokenIssuer(AuthenticationContext authenticationContext) {
        IdentityProvider identityProvider;
        ExternalIdPConfig externalIdP = authenticationContext.getExternalIdP();
        if (externalIdP == null || (identityProvider = externalIdP.getIdentityProvider()) == null) {
            return false;
        }
        for (IdentityProviderProperty identityProviderProperty : identityProvider.getIdpProperties()) {
            if ("isTrustedTokenIssuer".equals(identityProviderProperty.getName())) {
                return Boolean.parseBoolean(identityProviderProperty.getValue());
            }
        }
        return false;
    }

    private boolean isNativeSDKBasedFederationCall(HttpServletRequest httpServletRequest) {
        return (httpServletRequest.getParameter(OIDCAuthenticatorConstants.ACCESS_TOKEN_PARAM) == null || httpServletRequest.getParameter(OIDCAuthenticatorConstants.ID_TOKEN_PARAM) == null) ? false : true;
    }

    private String getFederatedAuthenticatorName(AuthenticationContext authenticationContext) {
        if (authenticationContext != null && authenticationContext.getExternalIdP() != null && authenticationContext.getExternalIdP().getIdPName() != null) {
            return authenticationContext.getExternalIdP().getIdPName();
        }
        if (!LOG.isDebugEnabled()) {
            return "";
        }
        LOG.debug("Cannot resolve the authenticator name from the authentication context.");
        return "";
    }

    private String generateCodeVerifier() {
        byte[] bArr = new byte[32];
        new SecureRandom().nextBytes(bArr);
        return java.util.Base64.getUrlEncoder().withoutPadding().encodeToString(bArr);
    }

    private String generateCodeChallenge(String str) throws AuthenticationFailedException {
        try {
            byte[] bytes = str.getBytes("US-ASCII");
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(bytes, 0, bytes.length);
            return java.util.Base64.getUrlEncoder().withoutPadding().encodeToString(messageDigest.digest());
        } catch (UnsupportedEncodingException | NoSuchAlgorithmException e) {
            throw new AuthenticationFailedException("Error while generating code challenge", e);
        }
    }
}
