package org.wso2.carbon.identity.application.authenticator.oidc;

import com.nimbusds.jose.util.JSONObjectUtils;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.minidev.json.JSONArray;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.client.OAuthClient;
import org.apache.oltu.oauth2.client.URLConnectionClient;
import org.apache.oltu.oauth2.client.request.OAuthClientRequest;
import org.apache.oltu.oauth2.client.response.OAuthAuthzResponse;
import org.apache.oltu.oauth2.client.response.OAuthClientResponse;
import org.apache.oltu.oauth2.common.exception.OAuthProblemException;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.apache.oltu.oauth2.common.message.types.GrantType;
import org.apache.oltu.oauth2.common.utils.JSONUtils;
import org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
import org.wso2.carbon.identity.application.authentication.framework.exception.LogoutFailedException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.authenticator.oidc.OIDCAuthenticatorConstants;
import org.wso2.carbon.identity.application.authenticator.oidc.internal.OpenIDConnectAuthenticatorDataHolder;
import org.wso2.carbon.identity.application.authenticator.oidc.model.OIDCStateInfo;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException;
import org.wso2.carbon.identity.claim.metadata.mgt.model.ExternalClaim;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.class */
public class OpenIDConnectAuthenticator extends AbstractApplicationAuthenticator implements FederatedApplicationAuthenticator {
    private static final long serialVersionUID = -4154255583070524018L;
    private static final String OIDC_DIALECT = "http://wso2.org/oidc/claim";
    private static final Log log = LogFactory.getLog(OpenIDConnectAuthenticator.class);
    private static final String DYNAMIC_PARAMETER_LOOKUP_REGEX = "\\$\\{(\\w+)\\}";
    private static Pattern pattern = Pattern.compile(DYNAMIC_PARAMETER_LOOKUP_REGEX);

    protected void processLogoutResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) {
        log.debug("Handled logout response from service provider " + httpServletRequest.getParameter("sp") + " in tenant domain " + httpServletRequest.getParameter("tenantDomain"));
    }

    public boolean canHandle(HttpServletRequest httpServletRequest) {
        if (log.isTraceEnabled()) {
            log.trace("Inside OpenIDConnectAuthenticator.canHandle()");
        }
        return OIDCAuthenticatorConstants.LOGIN_TYPE.equals(getLoginType(httpServletRequest));
    }

    protected String getAuthorizationServerEndpoint(Map<String, String> map) {
        return null;
    }

    protected String getCallbackUrl(Map<String, String> map) {
        String str = map.get("callbackUrl");
        if (StringUtils.isBlank(str)) {
            str = IdentityUtil.getServerURL("commonauth", true, true);
        }
        return str;
    }

    protected String getLogoutUrl(Map<String, String> map) {
        return map.get(OIDCAuthenticatorConstants.IdPConfParams.OIDC_LOGOUT_URL);
    }

    protected String getTokenEndpoint(Map<String, String> map) {
        return map.get(OIDCAuthenticatorConstants.OAUTH2_TOKEN_URL);
    }

    protected String getState(String str, Map<String, String> map) {
        return str;
    }

    protected String getScope(String str, Map<String, String> map) {
        if (StringUtils.isBlank(str)) {
            str = OIDCAuthenticatorConstants.OAUTH_OIDC_SCOPE;
        }
        return str;
    }

    protected boolean requiredIDToken(Map<String, String> map) {
        return true;
    }

    protected String getAuthenticateUser(AuthenticationContext authenticationContext, Map<String, Object> map, OAuthClientResponse oAuthClientResponse) {
        return (String) map.get(OIDCAuthenticatorConstants.Claim.SUB);
    }

    protected String getCallBackURL(Map<String, String> map) {
        return getCallbackUrl(map);
    }

    protected String getQueryString(Map<String, String> map) {
        return map.get("commonAuthQueryParams");
    }

    protected String getUserInfoEndpoint(OAuthClientResponse oAuthClientResponse, Map<String, String> map) {
        return map.get("UserInfoUrl");
    }

    protected Map<ClaimMapping, String> getSubjectAttributes(OAuthClientResponse oAuthClientResponse, Map<String, String> map) {
        String sendRequest;
        HashMap hashMap = new HashMap();
        try {
            sendRequest = sendRequest(getUserInfoEndpoint(oAuthClientResponse, map), oAuthClientResponse.getParam(OIDCAuthenticatorConstants.ACCESS_TOKEN));
        } catch (IOException e) {
            log.error("Communication error occurred while accessing user info endpoint", e);
        }
        if (StringUtils.isBlank(sendRequest)) {
            if (log.isDebugEnabled()) {
                log.debug("Empty JSON response from user info endpoint. Unable to fetch user claims. Proceeding without user claims");
            }
            return hashMap;
        }
        Map parseJSON = JSONUtils.parseJSON(sendRequest);
        for (Map.Entry entry : parseJSON.entrySet()) {
            String str = (String) entry.getKey();
            Object value = entry.getValue();
            if (value != null) {
                hashMap.put(ClaimMapping.build(str, str, (String) null, false), value instanceof Object[] ? StringUtils.join((Object[]) value, FrameworkUtils.getMultiAttributeSeparator()) : value.toString());
            }
            if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("UserClaims") && parseJSON.get(str) != null) {
                log.debug("Adding claims from end-point data mapping : " + str + " - " + parseJSON.get(str).toString());
            }
        }
        return hashMap;
    }

    protected void initiateAuthenticationRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        try {
            Map<String, String> authenticatorProperties = authenticationContext.getAuthenticatorProperties();
            if (authenticatorProperties == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Error while retrieving properties. Authenticator Properties cannot be null");
                }
                throw new AuthenticationFailedException("Error while retrieving properties. Authenticator Properties cannot be null");
            }
            String str = authenticatorProperties.get("ClientId");
            String oIDCAuthzEndpoint = getOIDCAuthzEndpoint(authenticatorProperties);
            String callbackUrl = getCallbackUrl(authenticatorProperties);
            String stateParameter = getStateParameter(authenticationContext, authenticatorProperties);
            String interpretQueryString = interpretQueryString(getQueryString(authenticatorProperties), httpServletRequest.getParameterMap());
            HashMap hashMap = new HashMap();
            if (StringUtils.isNotBlank(interpretQueryString)) {
                for (String str2 : interpretQueryString.split("&")) {
                    String[] split = str2.split("=");
                    if (split.length >= 2) {
                        hashMap.put(split[0], split[1]);
                    }
                }
                authenticationContext.setProperty(OIDCAuthenticatorConstants.OIDC_QUERY_PARAM_MAP_PROPERTY_KEY, hashMap);
            }
            String locationUri = ((StringUtils.isNotBlank(interpretQueryString) && interpretQueryString.toLowerCase().contains("scope=") && interpretQueryString.toLowerCase().contains("redirect_uri=")) ? OAuthClientRequest.authorizationLocation(oIDCAuthzEndpoint).setClientId(str).setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE).setState(stateParameter).buildQueryMessage() : (StringUtils.isNotBlank(interpretQueryString) && interpretQueryString.toLowerCase().contains("scope=")) ? OAuthClientRequest.authorizationLocation(oIDCAuthzEndpoint).setClientId(str).setRedirectURI(callbackUrl).setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE).setState(stateParameter).buildQueryMessage() : (StringUtils.isNotBlank(interpretQueryString) && interpretQueryString.toLowerCase().contains("redirect_uri=")) ? OAuthClientRequest.authorizationLocation(oIDCAuthzEndpoint).setClientId(str).setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE).setScope(OIDCAuthenticatorConstants.OAUTH_OIDC_SCOPE).setState(stateParameter).buildQueryMessage() : OAuthClientRequest.authorizationLocation(oIDCAuthzEndpoint).setClientId(str).setRedirectURI(callbackUrl).setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE).setScope(getScope((String) hashMap.get("scope"), authenticatorProperties)).setState(stateParameter).buildQueryMessage()).getLocationUri();
            String parameter = httpServletRequest.getParameter("domain");
            if (StringUtils.isNotBlank(parameter)) {
                locationUri = locationUri + "&fidp=" + parameter;
            }
            if (StringUtils.isNotBlank(interpretQueryString)) {
                locationUri = !interpretQueryString.startsWith("&") ? locationUri + "&" + interpretQueryString : locationUri + interpretQueryString;
            }
            httpServletResponse.sendRedirect(locationUri);
        } catch (OAuthSystemException e) {
            log.error("Exception while building authorization code request", e);
            throw new AuthenticationFailedException(e.getMessage(), e);
        } catch (IOException e2) {
            log.error("Exception while sending to the login page", e2);
            throw new AuthenticationFailedException(e2.getMessage(), e2);
        }
    }

    private String getStateParameter(AuthenticationContext authenticationContext, Map<String, String> map) {
        return getState(authenticationContext.getContextIdentifier() + "," + OIDCAuthenticatorConstants.LOGIN_TYPE, map);
    }

    private String getOIDCAuthzEndpoint(Map<String, String> map) {
        String authorizationServerEndpoint = getAuthorizationServerEndpoint(map);
        if (StringUtils.isBlank(authorizationServerEndpoint)) {
            authorizationServerEndpoint = map.get(OIDCAuthenticatorConstants.OAUTH2_AUTHZ_URL);
        }
        return authorizationServerEndpoint;
    }

    protected void processAuthenticationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        AuthenticatedUser createFederateAuthenticatedUserFromSubjectIdentifier;
        try {
            OAuthClientResponse oauthResponse = getOauthResponse(new OAuthClient(new URLConnectionClient()), getAccessTokenRequest(authenticationContext, OAuthAuthzResponse.oauthCodeAuthzResponse(httpServletRequest)));
            String param = oauthResponse.getParam(OIDCAuthenticatorConstants.ACCESS_TOKEN);
            if (StringUtils.isBlank(param)) {
                throw new AuthenticationFailedException("Access token is empty or null");
            }
            String param2 = oauthResponse.getParam(OIDCAuthenticatorConstants.ID_TOKEN);
            Map<String, String> authenticatorProperties = authenticationContext.getAuthenticatorProperties();
            if (StringUtils.isBlank(param2) && requiredIDToken(authenticatorProperties)) {
                throw new AuthenticationFailedException("Id token is required and is missing in OIDC response from token endpoint: " + getTokenEndpoint(authenticatorProperties) + " for clientId: " + authenticatorProperties.get("ClientId"));
            }
            OIDCStateInfo oIDCStateInfo = new OIDCStateInfo();
            oIDCStateInfo.setIdTokenHint(param2);
            authenticationContext.setStateInfo(oIDCStateInfo);
            authenticationContext.setProperty(OIDCAuthenticatorConstants.ACCESS_TOKEN, param);
            HashMap hashMap = new HashMap();
            HashMap hashMap2 = new HashMap();
            if (StringUtils.isNotBlank(param2)) {
                Map<String, Object> idTokenClaims = getIdTokenClaims(authenticationContext, param2);
                if (idTokenClaims == null) {
                    if (log.isDebugEnabled()) {
                        log.debug("Decoded json object is null");
                    }
                    throw new AuthenticationFailedException("Decoded json object is null");
                }
                if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("UserIdToken")) {
                    log.debug("Retrieved the User Information:" + idTokenClaims);
                }
                String authenticatedUserId = getAuthenticatedUserId(authenticationContext, oauthResponse, idTokenClaims);
                String multiAttributeSeparator = getMultiAttributeSeparator(authenticationContext, authenticatedUserId);
                Iterator<Map.Entry<String, Object>> it = idTokenClaims.entrySet().iterator();
                while (it.hasNext()) {
                    buildClaimMappings(hashMap, it.next(), multiAttributeSeparator);
                }
                createFederateAuthenticatedUserFromSubjectIdentifier = AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(authenticatedUserId);
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("The IdToken is null");
                }
                createFederateAuthenticatedUserFromSubjectIdentifier = AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(getAuthenticateUser(authenticationContext, hashMap2, oauthResponse));
            }
            hashMap.putAll(getSubjectAttributes(oauthResponse, authenticatorProperties));
            createFederateAuthenticatedUserFromSubjectIdentifier.setUserAttributes(hashMap);
            authenticationContext.setSubject(createFederateAuthenticatedUserFromSubjectIdentifier);
        } catch (OAuthProblemException e) {
            throw new AuthenticationFailedException("Authentication process failed", authenticationContext.getSubject(), e);
        }
    }

    protected void initiateLogoutRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws LogoutFailedException {
        if (!isLogoutEnabled(authenticationContext)) {
            super.initiateLogoutRequest(httpServletRequest, httpServletResponse, authenticationContext);
            return;
        }
        String logoutUrl = getLogoutUrl(authenticationContext.getAuthenticatorProperties());
        HashMap hashMap = new HashMap();
        String idTokenHint = getIdTokenHint(authenticationContext);
        if (StringUtils.isNotBlank(idTokenHint)) {
            hashMap.put(OIDCAuthenticatorConstants.ID_TOKEN_HINT, idTokenHint);
        }
        hashMap.put(OIDCAuthenticatorConstants.POST_LOGOUT_REDIRECT_URI, getCallbackUrl(authenticationContext.getAuthenticatorProperties()));
        hashMap.put(OIDCAuthenticatorConstants.OAUTH2_PARAM_STATE, getStateParameter(authenticationContext, authenticationContext.getAuthenticatorProperties()));
        try {
            httpServletResponse.sendRedirect(FrameworkUtils.buildURLWithQueryParams(logoutUrl, hashMap));
        } catch (IOException e) {
            throw new LogoutFailedException("Error occurred while initiating the logout request to IdP: " + authenticationContext.getExternalIdP().getName() + " of tenantDomain: " + authenticationContext.getTenantDomain(), e);
        }
    }

    private boolean isLogoutEnabled(AuthenticationContext authenticationContext) {
        return StringUtils.isNotBlank(getLogoutUrl(authenticationContext.getAuthenticatorProperties()));
    }

    private String getIdTokenHint(AuthenticationContext authenticationContext) {
        if (authenticationContext.getStateInfo() instanceof OIDCStateInfo) {
            return ((OIDCStateInfo) authenticationContext.getStateInfo()).getIdTokenHint();
        }
        return null;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v22, types: [java.util.Set] */
    private Map<String, Object> getIdTokenClaims(AuthenticationContext authenticationContext, String str) {
        authenticationContext.setProperty(OIDCAuthenticatorConstants.ID_TOKEN, str);
        byte[] decodeBase64 = Base64.decodeBase64(str.split("\\.")[1].getBytes());
        HashSet<Map.Entry> hashSet = new HashSet();
        try {
            hashSet = JSONObjectUtils.parseJSONObject(new String(decodeBase64)).entrySet();
        } catch (ParseException e) {
            log.error("Error occurred while parsing JWT provided by federated IDP: ", e);
        }
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : hashSet) {
            hashMap.put(entry.getKey(), entry.getValue());
        }
        return hashMap;
    }

    private String getMultiAttributeSeparator(AuthenticationContext authenticationContext, String str) throws AuthenticationFailedException {
        String str2 = null;
        try {
            String tenantDomain = authenticationContext.getTenantDomain();
            if (StringUtils.isBlank(tenantDomain)) {
                tenantDomain = "carbon.super";
            }
            UserRealm tenantUserRealm = OpenIDConnectAuthenticatorDataHolder.getInstance().getRealmService().getTenantUserRealm(OpenIDConnectAuthenticatorDataHolder.getInstance().getRealmService().getTenantManager().getTenantId(tenantDomain));
            if (tenantUserRealm != null) {
                str2 = tenantUserRealm.getUserStoreManager().getRealmConfiguration().getUserStoreProperty("MultiAttributeSeparator");
                if (log.isDebugEnabled()) {
                    log.debug("For the claim mapping: " + str2 + " is used as the attributeSeparator in tenant: " + tenantDomain);
                }
            }
            return str2;
        } catch (UserStoreException e) {
            throw new AuthenticationFailedException("Error while retrieving multi attribute separator", AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(str), e);
        }
    }

    private String getAuthenticatedUserId(AuthenticationContext authenticationContext, OAuthClientResponse oAuthClientResponse, Map<String, Object> map) throws AuthenticationFailedException {
        String authenticateUser;
        if (isUserIdFoundAmongClaims(authenticationContext)) {
            authenticateUser = getSubjectFromUserIDClaimURI(authenticationContext, map);
            if (!StringUtils.isNotBlank(authenticateUser)) {
                if (log.isDebugEnabled()) {
                    log.debug("Subject claim could not be found amongst id_token claims. Defaulting to the 'sub' attribute in id_token as authenticated user id.");
                }
                authenticateUser = getAuthenticateUser(authenticationContext, map, oAuthClientResponse);
            } else if (log.isDebugEnabled()) {
                log.debug("Authenticated user id: " + authenticateUser + " was found among id_token claims.");
            }
        } else {
            authenticateUser = getAuthenticateUser(authenticationContext, map, oAuthClientResponse);
            if (log.isDebugEnabled()) {
                log.debug("Authenticated user id: " + authenticateUser + " retrieved from the 'sub' claim.");
            }
        }
        if (authenticateUser == null) {
            throw new AuthenticationFailedException("Cannot find the userId from the id_token sent by the federated IDP.");
        }
        return authenticateUser;
    }

    private boolean isUserIdFoundAmongClaims(AuthenticationContext authenticationContext) {
        return Boolean.parseBoolean((String) authenticationContext.getAuthenticatorProperties().get("IsUserIdInClaims"));
    }

    protected void buildClaimMappings(Map<ClaimMapping, String> map, Map.Entry<String, Object> entry, String str) {
        StringBuilder sb = null;
        if (StringUtils.isBlank(str)) {
            str = ",,,";
        }
        if (entry.getValue() instanceof JSONArray) {
            JSONArray jSONArray = (JSONArray) entry.getValue();
            if (jSONArray != null && !jSONArray.isEmpty()) {
                Iterator it = jSONArray.iterator();
                while (it.hasNext()) {
                    if (sb == null) {
                        sb = new StringBuilder(it.next().toString());
                    } else {
                        sb.append(str).append(it.next().toString());
                    }
                }
            }
        } else {
            sb = entry.getValue() != null ? new StringBuilder(entry.getValue().toString()) : new StringBuilder();
        }
        map.put(ClaimMapping.build(entry.getKey(), entry.getKey(), (String) null, false), sb != null ? sb.toString() : "");
        if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("UserClaims")) {
            log.debug("Adding claim mapping : " + entry.getKey() + " <> " + entry.getKey() + " : " + ((Object) sb));
        }
    }

    protected OAuthClientRequest getAccessTokenRequest(AuthenticationContext authenticationContext, OAuthAuthzResponse oAuthAuthzResponse) throws AuthenticationFailedException {
        OAuthClientRequest buildBodyMessage;
        Map<String, String> authenticatorProperties = authenticationContext.getAuthenticatorProperties();
        String str = authenticatorProperties.get("ClientId");
        String str2 = authenticatorProperties.get("ClientSecret");
        String tokenEndpoint = getTokenEndpoint(authenticatorProperties);
        String callbackUrlFromInitialRequestParamMap = getCallbackUrlFromInitialRequestParamMap(authenticationContext);
        if (StringUtils.isBlank(callbackUrlFromInitialRequestParamMap)) {
            callbackUrlFromInitialRequestParamMap = getCallbackUrl(authenticatorProperties);
        }
        try {
            if (Boolean.parseBoolean(authenticatorProperties.get(OIDCAuthenticatorConstants.IS_BASIC_AUTH_ENABLED))) {
                if (log.isDebugEnabled()) {
                    log.debug("Authenticating to token endpoint: " + tokenEndpoint + " with HTTP basic authentication scheme.");
                }
                buildBodyMessage = OAuthClientRequest.tokenLocation(tokenEndpoint).setGrantType(GrantType.AUTHORIZATION_CODE).setRedirectURI(callbackUrlFromInitialRequestParamMap).setCode(oAuthAuthzResponse.getCode()).buildBodyMessage();
                buildBodyMessage.addHeader("Authorization", "Basic " + new String(Base64.encodeBase64((str + ":" + str2).getBytes())));
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("Authenticating to token endpoint: " + tokenEndpoint + " including client credentials in request body.");
                }
                buildBodyMessage = OAuthClientRequest.tokenLocation(tokenEndpoint).setGrantType(GrantType.AUTHORIZATION_CODE).setClientId(str).setClientSecret(str2).setRedirectURI(callbackUrlFromInitialRequestParamMap).setCode(oAuthAuthzResponse.getCode()).buildBodyMessage();
            }
            if (buildBodyMessage != null) {
                buildBodyMessage.addHeader(OIDCAuthenticatorConstants.HTTP_ORIGIN_HEADER, IdentityUtil.getServerURL("", false, false));
            }
            return buildBodyMessage;
        } catch (OAuthSystemException e) {
            if (log.isDebugEnabled()) {
                log.debug("Error while building access token request for token endpoint: " + tokenEndpoint, e);
            }
            throw new AuthenticationFailedException(e.getMessage(), e);
        }
    }

    protected OAuthClientResponse getOauthResponse(OAuthClient oAuthClient, OAuthClientRequest oAuthClientRequest) throws AuthenticationFailedException {
        try {
            return oAuthClient.accessToken(oAuthClientRequest);
        } catch (OAuthSystemException | OAuthProblemException e) {
            if (log.isDebugEnabled()) {
                log.debug("Exception while requesting access token", e);
            }
            throw new AuthenticationFailedException(e.getMessage(), e);
        }
    }

    public String getContextIdentifier(HttpServletRequest httpServletRequest) {
        if (log.isDebugEnabled()) {
            log.debug("Inside OpenIDConnectAuthenticator.getContextIdentifier()");
        }
        String parameter = httpServletRequest.getParameter(OIDCAuthenticatorConstants.OAUTH2_PARAM_STATE);
        if (parameter != null) {
            return parameter.split(",")[0];
        }
        return null;
    }

    private String getLoginType(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(OIDCAuthenticatorConstants.OAUTH2_PARAM_STATE);
        if (parameter == null) {
            return null;
        }
        String[] split = parameter.split(",");
        if (split.length > 1) {
            return split[1];
        }
        return null;
    }

    public String getFriendlyName() {
        return "openidconnect";
    }

    public String getName() {
        return OIDCAuthenticatorConstants.AUTHENTICATOR_NAME;
    }

    public String getClaimDialectURI() {
        return OIDC_DIALECT;
    }

    public List<Property> getConfigurationProperties() {
        ArrayList arrayList = new ArrayList();
        Property property = new Property();
        property.setName("ClientId");
        property.setDisplayName("Client Id");
        property.setRequired(true);
        property.setDescription("Enter OAuth2/OpenID Connect client identifier value");
        property.setType("string");
        property.setDisplayOrder(1);
        arrayList.add(property);
        Property property2 = new Property();
        property2.setName("ClientSecret");
        property2.setDisplayName("Client Secret");
        property2.setRequired(true);
        property2.setDescription("Enter OAuth2/OpenID Connect client secret value");
        property2.setType("string");
        property2.setDisplayOrder(2);
        arrayList.add(property2);
        Property property3 = new Property();
        property3.setName(OIDCAuthenticatorConstants.OAUTH2_AUTHZ_URL);
        property3.setDisplayName("Authorization Endpoint URL");
        property3.setRequired(true);
        property3.setDescription("Enter OAuth2/OpenID Connect authorization endpoint URL value");
        property3.setType("string");
        property3.setDisplayOrder(3);
        arrayList.add(property3);
        Property property4 = new Property();
        property4.setName(OIDCAuthenticatorConstants.OAUTH2_TOKEN_URL);
        property4.setDisplayName("Token Endpoint URL");
        property4.setRequired(true);
        property4.setDescription("Enter OAuth2/OpenID Connect token endpoint URL value");
        property4.setType("string");
        property4.setDisplayOrder(4);
        arrayList.add(property4);
        Property property5 = new Property();
        property5.setName("callbackUrl");
        property5.setDisplayName("Callback Url");
        property5.setRequired(false);
        property5.setDescription("Enter value corresponding to callback url");
        property5.setType("string");
        property5.setDisplayOrder(5);
        arrayList.add(property5);
        Property property6 = new Property();
        property6.setName("UserInfoUrl");
        property6.setDisplayName("Userinfo Endpoint URL");
        property6.setRequired(false);
        property6.setDescription("Enter value corresponding to userinfo endpoint url");
        property6.setType("string");
        property6.setDisplayOrder(6);
        arrayList.add(property6);
        Property property7 = new Property();
        property7.setName("IsUserIdInClaims");
        property7.setDisplayName("OpenID Connect User ID Location");
        property7.setRequired(false);
        property7.setDescription("Specifies the location to find the user identifier in the ID token assertion");
        property7.setType("boolean");
        property7.setDisplayOrder(7);
        arrayList.add(property7);
        Property property8 = new Property();
        property8.setName("commonAuthQueryParams");
        property8.setDisplayName("Additional Query Parameters");
        property8.setRequired(false);
        property8.setDescription("Additional query parameters. e.g: paramName1=value1");
        property8.setType("string");
        property8.setDisplayOrder(8);
        arrayList.add(property8);
        Property property9 = new Property();
        property9.setName(OIDCAuthenticatorConstants.IS_BASIC_AUTH_ENABLED);
        property9.setDisplayName("Enable HTTP basic auth for client authentication");
        property9.setRequired(false);
        property9.setDescription("Specifies that HTTP basic authentication should be used for client authentication, else client credentials will be included in the request body");
        property9.setType("boolean");
        property9.setDisplayOrder(9);
        arrayList.add(property9);
        return arrayList;
    }

    protected String getSubjectFromUserIDClaimURI(AuthenticationContext authenticationContext) {
        String str = null;
        try {
            str = FrameworkUtils.getFederatedSubjectFromClaims(authenticationContext, getClaimDialectURI());
        } catch (Exception e) {
            if (log.isDebugEnabled()) {
                log.debug("Couldn't find the subject claim from claim mappings ", e);
            }
        }
        return str;
    }

    protected String getSubjectFromUserIDClaimURI(AuthenticationContext authenticationContext, Map<String, Object> map) throws AuthenticationFailedException {
        boolean useDefaultLocalIdpDialect = authenticationContext.getExternalIdP().useDefaultLocalIdpDialect();
        String userIdClaimUri = authenticationContext.getExternalIdP().getUserIdClaimUri();
        String tenantDomain = authenticationContext.getTenantDomain();
        String str = null;
        try {
            if (!useDefaultLocalIdpDialect) {
                ClaimMapping[] claimMappings = authenticationContext.getExternalIdP().getClaimMappings();
                if (!ArrayUtils.isEmpty(claimMappings)) {
                    int length = claimMappings.length;
                    int i = 0;
                    while (true) {
                        if (i >= length) {
                            break;
                        }
                        ClaimMapping claimMapping = claimMappings[i];
                        if (log.isDebugEnabled()) {
                            log.debug("Evaluating " + claimMapping.getRemoteClaim().getClaimUri() + " against " + userIdClaimUri);
                        }
                        if (StringUtils.equals(claimMapping.getRemoteClaim().getClaimUri(), userIdClaimUri)) {
                            str = getUserIdClaimUriInOIDCDialect(claimMapping.getLocalClaim().getClaimUri(), tenantDomain);
                            break;
                        }
                        i++;
                    }
                }
            } else if (StringUtils.isNotBlank(userIdClaimUri)) {
                str = getUserIdClaimUriInOIDCDialect(userIdClaimUri, tenantDomain);
            } else if (log.isDebugEnabled()) {
                log.debug("User ID Claim URI is not configured for IDP: " + authenticationContext.getExternalIdP().getIdPName() + ". Cannot retrieve subject using user id claim URI.");
            }
            if (log.isDebugEnabled()) {
                log.debug("using userIdClaimUriInOIDCDialect to get subject from idTokenClaims: " + str);
            }
            Object obj = map.get(str);
            if (obj instanceof String) {
                return (String) obj;
            }
            if (obj != null) {
                log.warn("Unable to map subject claim (non-String type): " + obj);
            }
            if (!log.isDebugEnabled()) {
                return null;
            }
            log.debug("Couldn't find the subject claim among id_token claims for IDP: " + authenticationContext.getExternalIdP().getIdPName());
            return null;
        } catch (ClaimMetadataException e) {
            throw new AuthenticationFailedException("Error while executing claim transformation for IDP: " + authenticationContext.getExternalIdP().getIdPName(), e);
        }
    }

    private String getUserIdClaimUriInOIDCDialect(String str, String str2) throws ClaimMetadataException {
        ExternalClaim externalClaim = null;
        for (ExternalClaim externalClaim2 : OpenIDConnectAuthenticatorDataHolder.getInstance().getClaimMetadataManagementService().getExternalClaims(OIDC_DIALECT, str2)) {
            if (log.isDebugEnabled()) {
                log.debug("Evaluating " + str + " against " + externalClaim2.getMappedLocalClaim());
            }
            if (str.equals(externalClaim2.getMappedLocalClaim())) {
                externalClaim = externalClaim2;
            }
        }
        return externalClaim != null ? externalClaim.getClaimURI() : null;
    }

    protected String sendRequest(String str, String str2) throws IOException {
        if (log.isDebugEnabled()) {
            log.debug("Claim URL: " + str);
        }
        if (str == null) {
            return "";
        }
        StringBuilder sb = new StringBuilder();
        BufferedReader bufferedReader = null;
        try {
            HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(str).openConnection();
            httpURLConnection.setRequestMethod("GET");
            httpURLConnection.setRequestProperty("Authorization", "Bearer " + str2);
            bufferedReader = new BufferedReader(new InputStreamReader(httpURLConnection.getInputStream()));
            for (String readLine = bufferedReader.readLine(); readLine != null; readLine = bufferedReader.readLine()) {
                sb.append(readLine).append("\n");
            }
            if (bufferedReader != null) {
                bufferedReader.close();
            }
            if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("UserIdToken")) {
                log.debug("response: " + sb.toString());
            }
            return sb.toString();
        } catch (Throwable th) {
            if (bufferedReader != null) {
                bufferedReader.close();
            }
            throw th;
        }
    }

    private String interpretQueryString(String str, Map<String, String[]> map) {
        if (StringUtils.isBlank(str)) {
            return null;
        }
        Matcher matcher = pattern.matcher(str);
        while (matcher.find()) {
            String group = matcher.group(1);
            String[] strArr = map.get(group);
            String str2 = "";
            if (strArr != null && strArr.length > 0) {
                str2 = strArr[0];
            }
            try {
                str2 = URLEncoder.encode(str2, StandardCharsets.UTF_8.name());
            } catch (UnsupportedEncodingException e) {
                log.error("Error while encoding the query param: " + group + " with value: " + str2, e);
            }
            if (log.isDebugEnabled()) {
                log.debug("InterpretQueryString name: " + group + ", value: " + str2);
            }
            str = str.replaceAll("\\$\\{" + group + "}", Matcher.quoteReplacement(str2));
        }
        if (log.isDebugEnabled()) {
            log.debug("Output QueryString: " + str);
        }
        return str;
    }

    private String getCallbackUrlFromInitialRequestParamMap(AuthenticationContext authenticationContext) {
        Map map = (Map) authenticationContext.getProperty(OIDCAuthenticatorConstants.OIDC_QUERY_PARAM_MAP_PROPERTY_KEY);
        if (MapUtils.isNotEmpty(map) && map.containsKey(OIDCAuthenticatorConstants.REDIRECT_URI)) {
            return (String) map.get(OIDCAuthenticatorConstants.REDIRECT_URI);
        }
        return null;
    }
}
