package org.wso2.carbon.identity.oauth2.util;

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.sql.Timestamp;
import java.util.Arrays;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import java.util.regex.Pattern;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.io.Charsets;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.message.types.ResponseType;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.IdentityOAuthAdminException;
import org.wso2.carbon.identity.oauth.cache.CacheEntry;
import org.wso2.carbon.identity.oauth.cache.OAuthCache;
import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey;
import org.wso2.carbon.identity.oauth.common.OAuthConstants;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth.dao.OAuthConsumerDAO;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.model.ClientCredentialDO;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/util/OAuth2Util.class */
public class OAuth2Util {
    public static final String REMOTE_ACCESS_TOKEN = "REMOTE_ACCESS_TOKEN";
    public static final String JWT_ACCESS_TOKEN = "JWT_ACCESS_TOKEN";
    public static final String SCOPE = "scope";
    public static final String CLIENT_ID = "client_id";
    public static final String USERNAME = "username";
    public static final String TOKEN_TYPE = "token_type";
    public static final String NBF = "nbf";
    public static final String AUD = "aud";
    public static final String ISS = "iss";
    public static final String JTI = "jti";
    public static final String SUB = "sub";
    public static final String EXP = "exp";
    public static final String IAT = "iat";
    private static Log log = LogFactory.getLog(OAuth2Util.class);
    private static boolean cacheEnabled = OAuthServerConfiguration.getInstance().isCacheEnabled();
    private static OAuthCache cache = OAuthCache.getInstance();
    private static long timestampSkew = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
    private static ThreadLocal<Integer> clientTenatId = new ThreadLocal<>();
    private static ThreadLocal<OAuthTokenReqMessageContext> tokenRequestContext = new ThreadLocal<>();
    private static ThreadLocal<OAuthAuthzReqMessageContext> authzRequestContext = new ThreadLocal<>();
    private static Pattern pkceCodeVerifierPattern = Pattern.compile("[\\w\\-\\._~]+");

    /* loaded from: input_file:org/wso2/carbon/identity/oauth2/util/OAuth2Util$OAuthURL.class */
    public static class OAuthURL {
        public static String getOAuth1RequestTokenUrl() {
            String oAuth1RequestTokenUrl = OAuthServerConfiguration.getInstance().getOAuth1RequestTokenUrl();
            if (StringUtils.isBlank(oAuth1RequestTokenUrl)) {
                oAuth1RequestTokenUrl = IdentityUtil.getServerURL("oauth/request-token", true, true);
            }
            return oAuth1RequestTokenUrl;
        }

        public static String getOAuth1AuthorizeUrl() {
            String oAuth1AuthorizeUrl = OAuthServerConfiguration.getInstance().getOAuth1AuthorizeUrl();
            if (StringUtils.isBlank(oAuth1AuthorizeUrl)) {
                oAuth1AuthorizeUrl = IdentityUtil.getServerURL("oauth/authorize-url", true, true);
            }
            return oAuth1AuthorizeUrl;
        }

        public static String getOAuth1AccessTokenUrl() {
            String oAuth1AccessTokenUrl = OAuthServerConfiguration.getInstance().getOAuth1AccessTokenUrl();
            if (StringUtils.isBlank(oAuth1AccessTokenUrl)) {
                oAuth1AccessTokenUrl = IdentityUtil.getServerURL("oauth/access-token", true, true);
            }
            return oAuth1AccessTokenUrl;
        }

        public static String getOAuth2AuthzEPUrl() {
            String oAuth2AuthzEPUrl = OAuthServerConfiguration.getInstance().getOAuth2AuthzEPUrl();
            if (StringUtils.isBlank(oAuth2AuthzEPUrl)) {
                oAuth2AuthzEPUrl = IdentityUtil.getServerURL("oauth2/authorize", true, false);
            }
            return oAuth2AuthzEPUrl;
        }

        public static String getOAuth2TokenEPUrl() {
            String oAuth2TokenEPUrl = OAuthServerConfiguration.getInstance().getOAuth2TokenEPUrl();
            if (StringUtils.isBlank(oAuth2TokenEPUrl)) {
                oAuth2TokenEPUrl = IdentityUtil.getServerURL("oauth2/token", true, false);
            }
            return oAuth2TokenEPUrl;
        }

        public static String getOAuth2UserInfoEPUrl() {
            String oauth2UserInfoEPUrl = OAuthServerConfiguration.getInstance().getOauth2UserInfoEPUrl();
            if (StringUtils.isBlank(oauth2UserInfoEPUrl)) {
                oauth2UserInfoEPUrl = IdentityUtil.getServerURL("oauth2/userinfo", true, false);
            }
            return oauth2UserInfoEPUrl;
        }

        public static String getOIDCConsentPageUrl() {
            String oIDCConsentPageUrl = OAuthServerConfiguration.getInstance().getOIDCConsentPageUrl();
            if (StringUtils.isBlank(oIDCConsentPageUrl)) {
                oIDCConsentPageUrl = IdentityUtil.getServerURL("/authenticationendpoint/oauth2_consent.do", false, false);
            }
            return oIDCConsentPageUrl;
        }

        public static String getOAuth2ConsentPageUrl() {
            String oauth2ConsentPageUrl = OAuthServerConfiguration.getInstance().getOauth2ConsentPageUrl();
            if (StringUtils.isBlank(oauth2ConsentPageUrl)) {
                oauth2ConsentPageUrl = IdentityUtil.getServerURL("/authenticationendpoint/oauth2_authz.do", false, false);
            }
            return oauth2ConsentPageUrl;
        }

        public static String getOAuth2ErrorPageUrl() {
            String oauth2ErrorPageUrl = OAuthServerConfiguration.getInstance().getOauth2ErrorPageUrl();
            if (StringUtils.isBlank(oauth2ErrorPageUrl)) {
                oauth2ErrorPageUrl = IdentityUtil.getServerURL("/authenticationendpoint/oauth2_error.do", false, false);
            }
            return oauth2ErrorPageUrl;
        }
    }

    private OAuth2Util() {
    }

    public static OAuthAuthzReqMessageContext getAuthzRequestContext() {
        if (log.isDebugEnabled()) {
            log.debug("Retreived OAuthAuthzReqMessageContext from threadlocal");
        }
        return authzRequestContext.get();
    }

    public static void setAuthzRequestContext(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        authzRequestContext.set(oAuthAuthzReqMessageContext);
        if (log.isDebugEnabled()) {
            log.debug("Added OAuthAuthzReqMessageContext to threadlocal");
        }
    }

    public static void clearAuthzRequestContext() {
        authzRequestContext.remove();
        if (log.isDebugEnabled()) {
            log.debug("Cleared OAuthAuthzReqMessageContext");
        }
    }

    public static OAuthTokenReqMessageContext getTokenRequestContext() {
        if (log.isDebugEnabled()) {
            log.debug("Retreived OAuthTokenReqMessageContext from threadlocal");
        }
        return tokenRequestContext.get();
    }

    public static void setTokenRequestContext(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        tokenRequestContext.set(oAuthTokenReqMessageContext);
        if (log.isDebugEnabled()) {
            log.debug("Added OAuthTokenReqMessageContext to threadlocal");
        }
    }

    public static void clearTokenRequestContext() {
        tokenRequestContext.remove();
        if (log.isDebugEnabled()) {
            log.debug("Cleared OAuthTokenReqMessageContext");
        }
    }

    public static int getClientTenatId() {
        if (clientTenatId.get() == null) {
            return -1;
        }
        return clientTenatId.get().intValue();
    }

    public static void setClientTenatId(int i) {
        clientTenatId.set(new Integer(i));
    }

    public static void clearClientTenantId() {
        clientTenatId.remove();
    }

    public static String buildScopeString(String[] strArr) {
        if (strArr == null) {
            return null;
        }
        StringBuilder sb = new StringBuilder("");
        Arrays.sort(strArr);
        for (int i = 0; i < strArr.length; i++) {
            sb.append(strArr[i].trim());
            if (i != strArr.length - 1) {
                sb.append(" ");
            }
        }
        return sb.toString();
    }

    public static String[] buildScopeArray(String str) {
        return StringUtils.isNotBlank(str) ? str.trim().split("\\s") : new String[0];
    }

    public static boolean authenticateClient(String str, String str2) throws IdentityOAuthAdminException, IdentityOAuth2Exception, InvalidOAuthClientException {
        CacheEntry cacheEntry;
        boolean z = false;
        String str3 = null;
        if (cacheEnabled && (cacheEntry = (CacheEntry) cache.getValueFromCache(new OAuthCacheKey(str))) != null && (cacheEntry instanceof ClientCredentialDO)) {
            str3 = ((ClientCredentialDO) cacheEntry).getClientSecret();
            z = true;
            if (log.isDebugEnabled()) {
                log.debug("Client credentials were available in the cache for client id : " + str);
            }
        }
        if (str3 == null) {
            str3 = new OAuthConsumerDAO().getOAuthConsumerSecret(str);
            if (log.isDebugEnabled()) {
                log.debug("Client credentials were fetched from the database.");
            }
        }
        if (str3 == null) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Provided Client ID : " + str + "is not valid.");
            return false;
        }
        if (!str3.equals(str2)) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Provided the Client ID : " + str + " and Client Secret do not match with the issued credentials.");
            return false;
        }
        if (log.isDebugEnabled()) {
            log.debug("Successfully authenticated the client with client id : " + str);
        }
        if (!cacheEnabled || z) {
            return true;
        }
        cache.addToCache(new OAuthCacheKey(str), new ClientCredentialDO(str3));
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Client credentials were added to the cache for client id : " + str);
        return true;
    }

    public static String getAuthenticatedUsername(String str, String str2) throws IdentityOAuthAdminException, IdentityOAuth2Exception, InvalidOAuthClientException {
        CacheEntry cacheEntry;
        boolean z = false;
        String str3 = null;
        boolean isUserStoreInUsernameCaseSensitive = IdentityUtil.isUserStoreInUsernameCaseSensitive((String) null);
        if (authenticateClient(str, str2)) {
            if (cacheEnabled && (cacheEntry = (CacheEntry) cache.getValueFromCache(new OAuthCacheKey(str + ":" + ((String) null)))) != null && (cacheEntry instanceof ClientCredentialDO)) {
                str3 = ((ClientCredentialDO) cacheEntry).getClientSecret();
                z = true;
                if (log.isDebugEnabled()) {
                    log.debug("Username was available in the cache : " + str3);
                }
            }
            if (str3 == null) {
                str3 = new OAuthConsumerDAO().getAuthenticatedUsername(str, str2);
                if (log.isDebugEnabled()) {
                    log.debug("Username fetch from the database");
                }
            }
            if (str3 != null && cacheEnabled && !z) {
                if (isUserStoreInUsernameCaseSensitive) {
                    cache.addToCache(new OAuthCacheKey(str + ":" + str3), new ClientCredentialDO(str3));
                } else {
                    cache.addToCache(new OAuthCacheKey(str + ":" + str3.toLowerCase()), new ClientCredentialDO(str3));
                }
                if (log.isDebugEnabled()) {
                    log.debug("Caching username : " + str3);
                }
            }
        }
        return str3;
    }

    public static String buildCacheKeyStringForAuthzCode(String str, String str2) {
        return str + ":" + str2;
    }

    public static AccessTokenDO validateAccessTokenDO(AccessTokenDO accessTokenDO) {
        long validityPeriodInMillis = accessTokenDO.getValidityPeriodInMillis();
        long time = accessTokenDO.getIssuedTime().getTime();
        long currentTimeMillis = System.currentTimeMillis();
        long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
        if ((time + validityPeriodInMillis) - (currentTimeMillis + timeStampSkewInSeconds) <= 1000 || ((time + (OAuthServerConfiguration.getInstance().getRefreshTokenValidityPeriodInSeconds() * 1000)) - currentTimeMillis) + timeStampSkewInSeconds <= 1000) {
            return null;
        }
        accessTokenDO.setValidityPeriod(((time + validityPeriodInMillis) - (currentTimeMillis + timeStampSkewInSeconds)) / 1000);
        accessTokenDO.setValidityPeriodInMillis((time + validityPeriodInMillis) - (currentTimeMillis + timeStampSkewInSeconds));
        accessTokenDO.setIssuedTime(new Timestamp(currentTimeMillis));
        return accessTokenDO;
    }

    public static boolean checkAccessTokenPartitioningEnabled() {
        return OAuthServerConfiguration.getInstance().isAccessTokenPartitioningEnabled();
    }

    public static boolean checkUserNameAssertionEnabled() {
        return OAuthServerConfiguration.getInstance().isUserNameAssertionEnabled();
    }

    public static String getAccessTokenPartitioningDomains() {
        return OAuthServerConfiguration.getInstance().getAccessTokenPartitioningDomains();
    }

    public static Map<String, String> getAvailableUserStoreDomainMappings() throws IdentityOAuth2Exception {
        TreeMap treeMap = new TreeMap(String.CASE_INSENSITIVE_ORDER);
        String accessTokenPartitioningDomains = getAccessTokenPartitioningDomains();
        if (accessTokenPartitioningDomains != null) {
            for (String str : accessTokenPartitioningDomains.split(",")) {
                String[] split = str.trim().split(":");
                if (split.length < 2) {
                    throw new IdentityOAuth2Exception("Domain mapping has not defined correctly");
                }
                treeMap.put(split[1].trim(), split[0].trim());
            }
        }
        return treeMap;
    }

    public static String getUserStoreDomainFromUserId(String str) throws IdentityOAuth2Exception {
        String[] split;
        String str2 = null;
        if (str != null && (split = str.split("/")) != null && split.length > 1) {
            str2 = split[0];
            Map<String, String> availableUserStoreDomainMappings = getAvailableUserStoreDomainMappings();
            if (availableUserStoreDomainMappings != null && availableUserStoreDomainMappings.containsKey(str2)) {
                str2 = getAvailableUserStoreDomainMappings().get(str2);
            }
        }
        return str2;
    }

    public static String getUserStoreDomainFromAccessToken(String str) throws IdentityOAuth2Exception {
        String str2;
        String str3 = null;
        String[] split = new String(Base64.decodeBase64(str.getBytes(Charsets.UTF_8)), Charsets.UTF_8).split(":");
        if (split != null && (str2 = split[1]) != null) {
            str3 = getUserStoreDomainFromUserId(str2);
        }
        return str3;
    }

    public static String getAccessTokenStoreTableFromUserId(String str) throws IdentityOAuth2Exception {
        String[] split;
        String str2 = OAuthConstants.ACCESS_TOKEN_STORE_TABLE;
        if (str != null && (split = str.split("/")) != null && split.length > 1) {
            String str3 = split[0];
            Map<String, String> availableUserStoreDomainMappings = getAvailableUserStoreDomainMappings();
            if (availableUserStoreDomainMappings != null && availableUserStoreDomainMappings.containsKey(str3)) {
                str2 = str2 + "_" + availableUserStoreDomainMappings.get(str3);
            }
        }
        return str2;
    }

    public static String getAccessTokenStoreTableFromAccessToken(String str) throws IdentityOAuth2Exception {
        return getAccessTokenStoreTableFromUserId(getUserIdFromAccessToken(str));
    }

    public static String getUserIdFromAccessToken(String str) {
        String str2 = null;
        String[] split = new String(Base64.decodeBase64(str.getBytes(Charsets.UTF_8)), Charsets.UTF_8).split(":");
        if (split != null) {
            str2 = split[1];
        }
        return str2;
    }

    public static long getTokenExpireTimeMillis(AccessTokenDO accessTokenDO) {
        if (accessTokenDO == null) {
            throw new IllegalArgumentException("accessTokenDO is 'NULL'");
        }
        long validityPeriodInMillis = accessTokenDO.getValidityPeriodInMillis();
        if (validityPeriodInMillis < 0) {
            log.debug("Access Token : " + accessTokenDO.getAccessToken() + " has infinite lifetime");
            return -1L;
        }
        long refreshTokenValidityPeriodInMillis = accessTokenDO.getRefreshTokenValidityPeriodInMillis();
        long time = accessTokenDO.getIssuedTime().getTime();
        long currentTimeMillis = System.currentTimeMillis();
        long time2 = accessTokenDO.getRefreshTokenIssuedTime().getTime();
        long j = (time + validityPeriodInMillis) - (currentTimeMillis + timestampSkew);
        long j2 = (time2 + refreshTokenValidityPeriodInMillis) - (currentTimeMillis + timestampSkew);
        if (j <= 1000 || j2 <= 1000) {
            return 0L;
        }
        return j;
    }

    public static long getRefreshTokenExpireTimeMillis(AccessTokenDO accessTokenDO) {
        if (accessTokenDO == null) {
            throw new IllegalArgumentException("accessTokenDO is 'NULL'");
        }
        long refreshTokenValidityPeriodInMillis = accessTokenDO.getRefreshTokenValidityPeriodInMillis();
        if (refreshTokenValidityPeriodInMillis < 0) {
            log.debug("Refresh Token has infinite lifetime");
            return -1L;
        }
        long time = (accessTokenDO.getRefreshTokenIssuedTime().getTime() + refreshTokenValidityPeriodInMillis) - (System.currentTimeMillis() + timestampSkew);
        if (time > 1000) {
            return time;
        }
        return 0L;
    }

    public static long getAccessTokenExpireMillis(AccessTokenDO accessTokenDO) {
        if (accessTokenDO == null) {
            throw new IllegalArgumentException("accessTokenDO is 'NULL'");
        }
        long validityPeriodInMillis = accessTokenDO.getValidityPeriodInMillis();
        if (validityPeriodInMillis < 0) {
            log.debug("Access Token has infinite lifetime");
            return -1L;
        }
        long time = (accessTokenDO.getIssuedTime().getTime() + validityPeriodInMillis) - (System.currentTimeMillis() + timestampSkew);
        if (time > 1000) {
            return time;
        }
        return 0L;
    }

    public static int getTenantId(String str) throws IdentityOAuth2Exception {
        try {
            return OAuthComponentServiceHolder.getInstance().getRealmService().getTenantManager().getTenantId(str);
        } catch (UserStoreException e) {
            throw new IdentityOAuth2Exception("Error in obtaining tenant ID from tenant domain : " + str, e);
        }
    }

    public static String getTenantDomain(int i) throws IdentityOAuth2Exception {
        try {
            return OAuthComponentServiceHolder.getInstance().getRealmService().getTenantManager().getDomain(i);
        } catch (UserStoreException e) {
            throw new IdentityOAuth2Exception("Error in obtaining tenant domain from tenant ID : " + i, e);
        }
    }

    public static int getTenantIdFromUserName(String str) throws IdentityOAuth2Exception {
        return getTenantId(MultitenantUtils.getTenantDomain(str));
    }

    public static String hashScopes(String[] strArr) {
        return DigestUtils.md5Hex(buildScopeString(strArr));
    }

    public static String hashScopes(String str) {
        if (str != null) {
            return DigestUtils.md5Hex(buildScopeString(buildScopeArray(str)));
        }
        return null;
    }

    public static AuthenticatedUser getUserFromUserName(String str) throws IllegalArgumentException {
        if (!StringUtils.isNotBlank(str)) {
            throw new IllegalArgumentException("Cannot create user from empty user name");
        }
        String tenantDomain = MultitenantUtils.getTenantDomain(str);
        String removeDomainFromName = UserCoreUtil.removeDomainFromName(MultitenantUtils.getTenantAwareUsername(str));
        String upperCase = IdentityUtil.extractDomainFromName(str).toUpperCase();
        AuthenticatedUser authenticatedUser = new AuthenticatedUser();
        authenticatedUser.setUserName(removeDomainFromName);
        authenticatedUser.setTenantDomain(tenantDomain);
        authenticatedUser.setUserStoreDomain(upperCase);
        return authenticatedUser;
    }

    public static String getIDTokenIssuer() {
        String openIDConnectIDTokenIssuerIdentifier = OAuthServerConfiguration.getInstance().getOpenIDConnectIDTokenIssuerIdentifier();
        if (StringUtils.isBlank(openIDConnectIDTokenIssuerIdentifier)) {
            openIDConnectIDTokenIssuerIdentifier = OAuthURL.getOAuth2TokenEPUrl();
        }
        return openIDConnectIDTokenIssuerIdentifier;
    }

    public static boolean isOIDCAuthzRequest(Set<String> set) {
        return set.contains(OAuthConstants.Scope.OPENID);
    }

    public static boolean isOIDCAuthzRequest(String[] strArr) {
        for (String str : strArr) {
            if (str.equals(OAuthConstants.Scope.OPENID)) {
                return true;
            }
        }
        return false;
    }

    public static boolean validatePKCECodeVerifier(String str) {
        return pkceCodeVerifierPattern.matcher(str).matches() && str.length() >= 43 && str.length() <= 128;
    }

    public static boolean validatePKCECodeChallenge(String str, String str2) {
        return (str2 == null || OAuthConstants.OAUTH_PKCE_PLAIN_CHALLENGE.equals(str2)) ? validatePKCECodeVerifier(str) : OAuthConstants.OAUTH_PKCE_S256_CHALLENGE.equals(str2) && str != null && str.trim().length() == 43;
    }

    public static boolean doPKCEValidation(String str, String str2, String str3, OAuthAppDO oAuthAppDO) throws IdentityOAuth2Exception {
        if (!isPKCESupportEnabled()) {
            return true;
        }
        if (!oAuthAppDO.isPkceMandatory() && str == null) {
            return true;
        }
        if (str3 == null || str3.trim().length() == 0) {
            str3 = OAuthConstants.OAUTH_PKCE_PLAIN_CHALLENGE;
        }
        if (str2 == null || str2.trim().length() == 0) {
            if (oAuthAppDO.isPkceMandatory()) {
                throw new IdentityOAuth2Exception("No PKCE code verifier found.PKCE is mandatory for this oAuth 2.0 application.");
            }
            if (str == null || str.trim().length() == 0) {
                return true;
            }
            throw new IdentityOAuth2Exception("Empty PKCE code_verifier sent. This authorization code requires a PKCE verification to obtain an access token.");
        }
        if (!validatePKCECodeVerifier(str2)) {
            throw new IdentityOAuth2Exception("Code verifier used is not up to RFC 7636 specifications.");
        }
        if (OAuthConstants.OAUTH_PKCE_PLAIN_CHALLENGE.equals(str3)) {
            if (oAuthAppDO.isPkceSupportPlain()) {
                return str.equals(str2);
            }
            throw new IdentityOAuth2Exception("This application does not allow 'plain' transformation algorithm.");
        }
        if (!OAuthConstants.OAUTH_PKCE_S256_CHALLENGE.equals(str3)) {
            throw new IdentityOAuth2Exception("Invalid OAuth2 Token Response. Invalid PKCE Code Challenge Method '" + str3 + "'");
        }
        try {
            return new String(Base64.encodeBase64URLSafe(MessageDigest.getInstance("SHA-256").digest(str2.getBytes(StandardCharsets.US_ASCII))), StandardCharsets.UTF_8).trim().equals(str);
        } catch (NoSuchAlgorithmException e) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Failed to create SHA256 Message Digest.");
            return false;
        }
    }

    public static boolean isPKCESupportEnabled() {
        return OAuth2ServiceComponentHolder.isPkceEnabled();
    }

    public static boolean isImplicitResponseType(String str) {
        if (StringUtils.isNotBlank(str)) {
            return str.contains(ResponseType.TOKEN.toString()) || str.contains(OAuthConstants.ID_TOKEN);
        }
        return false;
    }
}
