package org.keycloak.protocol.oidc.tokenexchange;

import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
import org.keycloak.TokenVerifier;
import org.keycloak.authentication.actiontoken.TokenUtils;
import org.keycloak.common.Profile;
import org.keycloak.common.util.CollectionUtil;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.TokenExchangeContext;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.encode.TokenContextEncoderProvider;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.util.AuthorizationContextUtil;
import org.keycloak.services.util.UserSessionUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/protocol/oidc/tokenexchange/StandardTokenExchangeProvider.class */
public class StandardTokenExchangeProvider extends AbstractTokenExchangeProvider {
    public boolean supports(TokenExchangeContext tokenExchangeContext) {
        if (((String) tokenExchangeContext.getFormParams().getFirst("requested_subject")) != null) {
            tokenExchangeContext.setUnsupportedReason("Parameter 'requested_subject' is not supported for standard token exchange");
            return false;
        }
        if (((String) tokenExchangeContext.getFormParams().getFirst("requested_issuer")) != null) {
            tokenExchangeContext.setUnsupportedReason("Parameter 'requested_issuer' is not supported for standard token exchange");
            return false;
        }
        if (((String) tokenExchangeContext.getFormParams().getFirst("subject_issuer")) != null) {
            tokenExchangeContext.setUnsupportedReason("Parameter 'subject_issuer' is not supported for standard token exchange");
            return false;
        }
        if (!OIDCAdvancedConfigWrapper.fromClientModel(tokenExchangeContext.getClient()).isStandardTokenExchangeEnabled()) {
            tokenExchangeContext.setUnsupportedReason("Standard token exchange is not enabled for the requested client");
            return false;
        }
        if (tokenExchangeContext.getParams().getSubjectToken() == null) {
            tokenExchangeContext.setUnsupportedReason("Parameter 'subject_token' required for standard token exchange");
            return false;
        }
        String subjectTokenType = tokenExchangeContext.getParams().getSubjectTokenType();
        if (subjectTokenType == null) {
            tokenExchangeContext.setUnsupportedReason("Parameter 'subject_token_type' required for standard token exchange");
            return false;
        }
        if (subjectTokenType.equals("urn:ietf:params:oauth:token-type:access_token")) {
            return true;
        }
        tokenExchangeContext.setUnsupportedReason("Parameter 'subject_token' supports access tokens only");
        return false;
    }

    @Override // org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider
    protected Response tokenExchange() {
        String subjectToken = this.context.getParams().getSubjectToken();
        this.event.detail("requested_token_type", this.context.getParams().getRequestedTokenType());
        AuthenticationManager.AuthResult verifyIdentityToken = AuthenticationManager.verifyIdentityToken(this.session, this.realm, this.session.getContext().getUri(), this.clientConnection, true, true, null, false, subjectToken, this.context.getHeaders(), new TokenVerifier.Predicate[0]);
        if (verifyIdentityToken == null) {
            this.event.detail("reason", "subject_token validation failure");
            this.event.error("invalid_token");
            throw new CorsErrorResponseException(this.cors, "invalid_request", "Invalid token", Response.Status.BAD_REQUEST);
        }
        UserModel user = verifyIdentityToken.getUser();
        UserSessionModel session = verifyIdentityToken.getSession();
        AccessToken token = verifyIdentityToken.getToken();
        this.event.user(user);
        this.event.detail("username", user.getUsername());
        if (session.getPersistenceState() != UserSessionModel.SessionPersistenceState.TRANSIENT) {
            this.event.session(session);
        }
        this.event.detail("subject_token_client_id", token.getIssuedFor());
        return exchangeClientToClient(user, session, token, true);
    }

    @Override // org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider
    protected void validateAudience(AccessToken accessToken, boolean z, List<ClientModel> list) {
        ClientModel clientByClientId = accessToken == null ? null : this.realm.getClientByClientId(accessToken.getIssuedFor());
        if (this.client.isPublicClient()) {
            this.event.detail("reason", "Public client is not allowed to exchange token");
            this.event.error("invalid_client");
            throw new CorsErrorResponseException(this.cors, "invalid_client", "Public client is not allowed to exchange token", Response.Status.BAD_REQUEST);
        }
        for (ClientModel clientModel : list) {
            if (!clientModel.isEnabled()) {
                this.event.detail("reason", "audience client disabled");
                this.event.detail("audience", clientModel.getClientId());
                this.event.error("client_disabled");
                throw new CorsErrorResponseException(this.cors, "invalid_client", "Client disabled", Response.Status.BAD_REQUEST);
            }
        }
        if (this.client.equals(clientByClientId)) {
            return;
        }
        forbiddenIfClientIsNotWithinTokenAudience(accessToken);
    }

    protected void validateConsents(UserModel userModel, ClientSessionContext clientSessionContext) {
        if (TokenManager.verifyConsentStillAvailable(this.session, userModel, this.client, clientSessionContext.getClientScopesStream())) {
            return;
        }
        this.event.detail("reason", "Missing consents for Token Exchange in client " + this.client.getClientId());
        this.event.error("consent_denied");
        throw new CorsErrorResponseException(this.cors, "invalid_scope", "Missing consents for Token Exchange in client " + this.client.getClientId(), Response.Status.BAD_REQUEST);
    }

    @Override // org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider
    protected String getRequestedScope(AccessToken accessToken, List<ClientModel> list) {
        boolean isValidScope;
        String str = (String) this.formParams.getFirst("scope");
        if (Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES)) {
            isValidScope = TokenManager.isValidScope(this.session, str, AuthorizationContextUtil.getAuthorizationRequestContextFromScopes(this.session, str), this.client, null);
        } else {
            isValidScope = TokenManager.isValidScope(this.session, str, this.client, null);
        }
        if (isValidScope) {
            return str;
        }
        String str2 = "Invalid scopes: " + str;
        this.event.detail("reason", str2);
        this.event.error("invalid_request");
        throw new CorsErrorResponseException(this.cors, "invalid_scope", str2, Response.Status.BAD_REQUEST);
    }

    @Override // org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider
    protected void setClientToContext(List<ClientModel> list) {
        this.session.getContext().setClient(this.client);
    }

    @Override // org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider
    protected Response exchangeClientToOIDCClient(UserModel userModel, UserSessionModel userSessionModel, String str, List<ClientModel> list, String str2, AccessToken accessToken) {
        AccessTokenResponse build;
        ClientModel clientByClientId;
        AuthenticatedClientSessionModel authenticatedClientSessionByClient;
        AuthenticationSessionModel createSessionModel = createSessionModel(userSessionModel, new AuthenticationSessionManager(this.session).createAuthenticationSession(this.realm, false), userModel, this.client, str2);
        boolean isOffline = userSessionModel.isOffline();
        if (userSessionModel.getPersistenceState() == UserSessionModel.SessionPersistenceState.TRANSIENT || isOffline) {
            if ("urn:ietf:params:oauth:token-type:refresh_token".equals(str)) {
                this.event.detail("reason", "Refresh token not valid as requested_token_type because creating a new session is needed");
                this.event.error("invalid_request");
                throw new CorsErrorResponseException(this.cors, "invalid_request", "Refresh token not valid as requested_token_type because creating a new session is needed", Response.Status.BAD_REQUEST);
            }
            if (isOffline) {
                userSessionModel = UserSessionUtil.createTransientUserSession(this.session, userSessionModel);
            }
        }
        boolean z = userSessionModel.getPersistenceState() != UserSessionModel.SessionPersistenceState.TRANSIENT && userSessionModel.getAuthenticatedClientSessionByClient(this.client.getId()) == null;
        try {
            ClientSessionContext attachAuthenticationSession = TokenManager.attachAuthenticationSession(this.session, userSessionModel, createSessionModel, !"urn:ietf:params:oauth:token-type:refresh_token".equals(str));
            if (str.equals("urn:ietf:params:oauth:token-type:refresh_token") && attachAuthenticationSession.getClientScopesStream().filter(clientScopeModel -> {
                return "offline_access".equals(clientScopeModel.getName());
            }).findAny().isPresent()) {
                this.event.detail("reason", "Scope offline_access not allowed for token exchange");
                this.event.error("invalid_request");
                throw new CorsErrorResponseException(this.cors, "invalid_request", "Scope offline_access not allowed for token exchange", Response.Status.BAD_REQUEST);
            }
            updateUserSessionFromClientAuth(userSessionModel);
            if (this.params.getAudience() != null && !list.isEmpty()) {
                attachAuthenticationSession.setAttribute("req-aud-clients", list.toArray(i -> {
                    return new ClientModel[i];
                }));
            }
            validateConsents(userModel, attachAuthenticationSession);
            attachAuthenticationSession.setAttribute("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange");
            if ("urn:ietf:params:oauth:grant-type:token-exchange".equals(((TokenContextEncoderProvider) this.session.getProvider(TokenContextEncoderProvider.class)).getTokenContextFromTokenId(accessToken.getId()).getGrantType()) && (clientByClientId = this.session.clients().getClientByClientId(this.realm, accessToken.getIssuedFor())) != null && (authenticatedClientSessionByClient = userSessionModel.getAuthenticatedClientSessionByClient(clientByClientId.getId())) != null) {
                authenticatedClientSessionByClient.getNotes().entrySet().stream().filter(entry -> {
                    return ((String) entry.getKey()).startsWith("token_exchange_subject_client");
                }).forEach(entry2 -> {
                    attachAuthenticationSession.getClientSession().setNote((String) entry2.getKey(), (String) entry2.getValue());
                });
            }
            attachAuthenticationSession.getClientSession().setNote("token_exchange_subject_client" + accessToken.getIssuedFor(), accessToken.getId());
            TokenManager.AccessTokenResponseBuilder generateAccessToken = this.tokenManager.responseBuilder(this.realm, this.client, this.event, this.session, attachAuthenticationSession.getClientSession().getUserSession(), attachAuthenticationSession).generateAccessToken();
            checkRequestedAudiences(generateAccessToken);
            if (userSessionModel.getPersistenceState() == UserSessionModel.SessionPersistenceState.TRANSIENT && !isOffline) {
                generateAccessToken.getAccessToken().setSessionId((String) null);
                this.event.session((String) null);
            }
            if ("urn:ietf:params:oauth:token-type:refresh_token".equals(str)) {
                generateAccessToken.generateRefreshToken();
            }
            if ("urn:ietf:params:oauth:token-type:id_token".equals(str)) {
                build = generateAccessToken.generateIDToken().build();
                build.setToken(build.getIdToken());
                build.setIdToken((String) null);
                build.setTokenType("N_A");
            } else {
                if (TokenUtil.isOIDCRequest(this.params.getScope())) {
                    generateAccessToken.generateIDToken().generateAccessTokenHash();
                }
                build = generateAccessToken.build();
            }
            build.setOtherClaims("issued_token_type", str);
            if (generateAccessToken.getAccessToken().getAudience() != null) {
                this.event.detail("audience", CollectionUtil.join(List.of((Object[]) generateAccessToken.getAccessToken().getAudience()), " "));
            }
            this.event.success();
            return this.cors.add(Response.ok(build, MediaType.APPLICATION_JSON_TYPE));
        } catch (RuntimeException e) {
            if (z) {
                userSessionModel.removeAuthenticatedClientSessions(Set.of(this.client.getId()));
            }
            throw e;
        }
    }

    @Override // org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider
    protected Response exchangeClientToSAML2Client(UserModel userModel, UserSessionModel userSessionModel, String str, List<ClientModel> list) {
        this.event.detail("reason", "requested_token_type unsupported");
        this.event.error("invalid_request");
        throw new CorsErrorResponseException(this.cors, "invalid_request", "requested_token_type unsupported", Response.Status.BAD_REQUEST);
    }

    protected void checkRequestedAudiences(TokenManager.AccessTokenResponseBuilder accessTokenResponseBuilder) {
        Set<String> checkRequestedAudiences = TokenUtils.checkRequestedAudiences(accessTokenResponseBuilder.getAccessToken(), this.params.getAudience());
        if (checkRequestedAudiences.isEmpty()) {
            return;
        }
        String join = CollectionUtil.join(checkRequestedAudiences);
        this.event.detail("reason", "Requested audience not available: " + join);
        this.event.error("invalid_request");
        throw new CorsErrorResponseException(this.cors, "invalid_request", "Requested audience not available: " + join, Response.Status.BAD_REQUEST);
    }

    @Override // org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider
    protected List<String> getSupportedOAuthResponseTokenTypes() {
        return Arrays.asList("urn:ietf:params:oauth:token-type:access_token", "urn:ietf:params:oauth:token-type:id_token", "urn:ietf:params:oauth:token-type:refresh_token");
    }

    @Override // org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider
    protected String getRequestedTokenType() {
        String requestedTokenType = this.params.getRequestedTokenType();
        if (requestedTokenType == null) {
            return "urn:ietf:params:oauth:token-type:access_token";
        }
        if (requestedTokenType.equals("urn:ietf:params:oauth:token-type:access_token") || requestedTokenType.equals("urn:ietf:params:oauth:token-type:id_token") || requestedTokenType.equals("urn:ietf:params:oauth:token-type:saml2")) {
            return requestedTokenType;
        }
        OIDCAdvancedConfigWrapper fromClientModel = OIDCAdvancedConfigWrapper.fromClientModel(this.client);
        if (requestedTokenType.equals("urn:ietf:params:oauth:token-type:refresh_token") && fromClientModel.isUseRefreshToken() && fromClientModel.getStandardTokenExchangeRefreshEnabled() != OIDCAdvancedConfigWrapper.TokenExchangeRefreshTokenEnabled.NO) {
            return requestedTokenType;
        }
        this.event.detail("reason", "requested_token_type unsupported");
        this.event.error("invalid_request");
        throw new CorsErrorResponseException(this.cors, "invalid_request", "requested_token_type unsupported", Response.Status.BAD_REQUEST);
    }
}
