package org.keycloak.broker.oidc;

import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import java.util.Iterator;
import org.keycloak.broker.oidc.OIDCIdentityProvider;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityProvider;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.events.EventBuilder;
import org.keycloak.headers.SecurityHeadersProvider;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.representations.adapters.action.AdminAction;
import org.keycloak.representations.adapters.action.LogoutAction;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.class */
public class KeycloakOIDCIdentityProvider extends OIDCIdentityProvider {

    /* loaded from: input_file:org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider$KeycloakEndpoint.class */
    protected static class KeycloakEndpoint extends OIDCIdentityProvider.OIDCEndpoint {
        private KeycloakOIDCIdentityProvider provider;

        public KeycloakEndpoint(IdentityProvider.AuthenticationCallback authenticationCallback, RealmModel realmModel, EventBuilder eventBuilder, KeycloakOIDCIdentityProvider keycloakOIDCIdentityProvider) {
            super(authenticationCallback, realmModel, eventBuilder, keycloakOIDCIdentityProvider);
            this.provider = keycloakOIDCIdentityProvider;
        }

        @POST
        @Path("k_logout")
        public Response backchannelLogout(String str) {
            try {
                JWSInput jWSInput = new JWSInput(str);
                if (!this.provider.verify(jWSInput)) {
                    OIDCIdentityProvider.logger.warn("Failed to verify logout request");
                    return Response.status(400).build();
                }
                try {
                    LogoutAction logoutAction = (LogoutAction) JsonSerialization.readValue(jWSInput.getContent(), LogoutAction.class);
                    if (!validateAction(logoutAction)) {
                        return Response.status(400).build();
                    }
                    if (logoutAction.getKeycloakSessionIds() != null) {
                        Iterator it = logoutAction.getKeycloakSessionIds().iterator();
                        while (it.hasNext()) {
                            UserSessionModel userSessionByBrokerSessionId = this.session.sessions().getUserSessionByBrokerSessionId(this.realm, this.provider.m150getConfig().getAlias() + "." + ((String) it.next()));
                            if (userSessionByBrokerSessionId != null && userSessionByBrokerSessionId.getState() != UserSessionModel.State.LOGGING_OUT && userSessionByBrokerSessionId.getState() != UserSessionModel.State.LOGGED_OUT) {
                                AuthenticationManager.backchannelLogout(this.session, this.realm, userSessionByBrokerSessionId, this.session.getContext().getUri(), this.clientConnection, this.headers, false);
                            }
                        }
                    }
                    this.session.getProvider(SecurityHeadersProvider.class).options().allowEmptyContentType();
                    return Response.ok().build();
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            } catch (JWSInputException e2) {
                OIDCIdentityProvider.logger.warn("Failed to verify logout request");
                return Response.status(400).build();
            }
        }

        protected boolean validateAction(AdminAction adminAction) {
            if (!adminAction.validate()) {
                OIDCIdentityProvider.logger.warn("admin request failed, not validated" + adminAction.getAction());
                return false;
            }
            if (adminAction.isExpired()) {
                OIDCIdentityProvider.logger.warn("admin request failed, expired token");
                return false;
            }
            if (this.provider.m150getConfig().getClientId().equals(adminAction.getResource())) {
                return true;
            }
            OIDCIdentityProvider.logger.warn("Resource name does not match");
            return false;
        }

        @Override // org.keycloak.broker.oidc.OIDCIdentityProvider.OIDCEndpoint, org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.Endpoint
        public SimpleHttp generateTokenRequest(String str) {
            return super.generateTokenRequest(str).param("client_session_state", "n/a");
        }
    }

    public KeycloakOIDCIdentityProvider(KeycloakSession keycloakSession, OIDCIdentityProviderConfig oIDCIdentityProviderConfig) {
        super(keycloakSession, oIDCIdentityProviderConfig);
        oIDCIdentityProviderConfig.setAccessTokenJwt(true);
    }

    @Override // org.keycloak.broker.oidc.OIDCIdentityProvider, org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    public Object callback(RealmModel realmModel, IdentityProvider.AuthenticationCallback authenticationCallback, EventBuilder eventBuilder) {
        return new KeycloakEndpoint(authenticationCallback, realmModel, eventBuilder, this);
    }

    @Override // org.keycloak.broker.oidc.OIDCIdentityProvider, org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected BrokeredIdentityContext exchangeExternalImpl(EventBuilder eventBuilder, MultivaluedMap<String, String> multivaluedMap) {
        String str = (String) multivaluedMap.getFirst("subject_token");
        if (str == null) {
            eventBuilder.detail("reason", "subject_token param unset");
            eventBuilder.error("invalid_token");
            throw new ErrorResponseException("invalid_token", "token not set", Response.Status.BAD_REQUEST);
        }
        String str2 = (String) multivaluedMap.getFirst("subject_token_type");
        if (str2 == null) {
            str2 = "urn:ietf:params:oauth:token-type:access_token";
        }
        return validateJwt(eventBuilder, str, str2);
    }
}
