package org.keycloak.protocol.oidc.grants.ciba.endpoints.request;

import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import java.io.InputStream;
import java.util.HashSet;
import org.keycloak.common.util.StreamUtil;
import org.keycloak.connections.httpclient.HttpClientProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.CibaConfig;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.services.ErrorResponseException;

/* loaded from: input_file:org/keycloak/protocol/oidc/grants/ciba/endpoints/request/BackchannelAuthenticationEndpointRequestParserProcessor.class */
public class BackchannelAuthenticationEndpointRequestParserProcessor {
    public static BackchannelAuthenticationEndpointRequest parseRequest(EventBuilder eventBuilder, KeycloakSession keycloakSession, ClientModel clientModel, MultivaluedMap<String, String> multivaluedMap, CibaConfig cibaConfig) {
        try {
            BackchannelAuthenticationEndpointRequest backchannelAuthenticationEndpointRequest = new BackchannelAuthenticationEndpointRequest();
            BackchannelAuthenticationEndpointRequestBodyParser backchannelAuthenticationEndpointRequestBodyParser = new BackchannelAuthenticationEndpointRequestBodyParser(multivaluedMap);
            backchannelAuthenticationEndpointRequestBodyParser.parseRequest(backchannelAuthenticationEndpointRequest);
            if (backchannelAuthenticationEndpointRequestBodyParser.getInvalidRequestMessage() != null) {
                backchannelAuthenticationEndpointRequest.invalidRequestMessage = backchannelAuthenticationEndpointRequestBodyParser.getInvalidRequestMessage();
                return backchannelAuthenticationEndpointRequest;
            }
            String str = (String) multivaluedMap.getFirst("request");
            String str2 = (String) multivaluedMap.getFirst("request_uri");
            if (str != null && str2 != null) {
                throw new RuntimeException("Illegal to use both 'request' and 'request_uri' parameters together");
            }
            if (str != null) {
                new BackchannelAuthenticationEndpointSignedRequestParser(keycloakSession, str, clientModel, cibaConfig).parseRequest(backchannelAuthenticationEndpointRequest);
            } else if (str2 != null) {
                String verifyRedirectUri = RedirectUtils.verifyRedirectUri(keycloakSession, clientModel.getRootUrl(), str2, new HashSet(OIDCAdvancedConfigWrapper.fromClientModel(clientModel).getRequestUris()), false);
                if (verifyRedirectUri == null) {
                    throw new RuntimeException("Specified 'request_uri' not allowed for this client.");
                }
                InputStream inputStream = keycloakSession.getProvider(HttpClientProvider.class).get(verifyRedirectUri);
                try {
                    new BackchannelAuthenticationEndpointSignedRequestParser(keycloakSession, StreamUtil.readString(inputStream), clientModel, cibaConfig).parseRequest(backchannelAuthenticationEndpointRequest);
                    if (inputStream != null) {
                        inputStream.close();
                    }
                } finally {
                }
            }
            return backchannelAuthenticationEndpointRequest;
        } catch (Exception e) {
            throw new ErrorResponseException("invalid_request", e.getMessage(), Response.Status.BAD_REQUEST);
        }
    }
}
