package io.jans.as.server.token.ws.rs;

import com.google.common.base.Function;
import com.google.common.base.Strings;
import com.nimbusds.jose.jwk.JWKException;
import io.jans.as.common.model.common.User;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.service.AttributeService;
import io.jans.as.model.authorize.CodeVerifier;
import io.jans.as.model.common.BackchannelTokenDeliveryMode;
import io.jans.as.model.common.ComponentType;
import io.jans.as.model.common.GrantType;
import io.jans.as.model.common.TokenType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.binding.TokenBindingMessage;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.as.model.jwk.JSONWebKey;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.token.JsonWebResponse;
import io.jans.as.model.token.TokenErrorResponseType;
import io.jans.as.server.audit.ApplicationAuditLogger;
import io.jans.as.server.model.audit.Action;
import io.jans.as.server.model.audit.OAuth2AuditLog;
import io.jans.as.server.model.common.AbstractAuthorizationGrant;
import io.jans.as.server.model.common.AccessToken;
import io.jans.as.server.model.common.AuthorizationCodeGrant;
import io.jans.as.server.model.common.AuthorizationGrant;
import io.jans.as.server.model.common.AuthorizationGrantList;
import io.jans.as.server.model.common.CIBAGrant;
import io.jans.as.server.model.common.CibaRequestCacheControl;
import io.jans.as.server.model.common.CibaRequestStatus;
import io.jans.as.server.model.common.DeviceAuthorizationCacheControl;
import io.jans.as.server.model.common.DeviceAuthorizationStatus;
import io.jans.as.server.model.common.DeviceCodeGrant;
import io.jans.as.server.model.common.ExecutionContext;
import io.jans.as.server.model.common.IdToken;
import io.jans.as.server.model.common.RefreshToken;
import io.jans.as.server.model.common.SessionId;
import io.jans.as.server.model.config.Constants;
import io.jans.as.server.model.session.SessionClient;
import io.jans.as.server.model.token.JwrService;
import io.jans.as.server.model.token.TokenParamsValidator;
import io.jans.as.server.security.Identity;
import io.jans.as.server.service.AuthenticationFilterService;
import io.jans.as.server.service.AuthenticationService;
import io.jans.as.server.service.CleanerTimer;
import io.jans.as.server.service.DeviceAuthorizationService;
import io.jans.as.server.service.GrantService;
import io.jans.as.server.service.SessionIdService;
import io.jans.as.server.service.UserService;
import io.jans.as.server.service.ciba.CibaRequestService;
import io.jans.as.server.service.ciba.CibaRequestsProcessorJob;
import io.jans.as.server.service.external.ExternalResourceOwnerPasswordCredentialsService;
import io.jans.as.server.service.external.ExternalUpdateTokenService;
import io.jans.as.server.service.external.context.ExternalResourceOwnerPasswordCredentialsContext;
import io.jans.as.server.service.external.context.ExternalUpdateTokenContext;
import io.jans.as.server.service.stat.StatService;
import io.jans.as.server.uma.service.UmaTokenService;
import io.jans.as.server.util.ServerUtil;
import io.jans.orm.exception.AuthenticationException;
import io.jans.util.StringHelper;
import jakarta.inject.Inject;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.SecurityContext;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.util.Arrays;
import java.util.Date;
import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang.StringUtils;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.json.JSONException;
import org.json.JSONObject;
import org.slf4j.Logger;

@Path("/")
/* loaded from: input_file:io/jans/as/server/token/ws/rs/TokenRestWebServiceImpl.class */
public class TokenRestWebServiceImpl implements TokenRestWebService {

    @Inject
    private Logger log;

    @Inject
    private Identity identity;

    @Inject
    private ApplicationAuditLogger applicationAuditLogger;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private UserService userService;

    @Inject
    private GrantService grantService;

    @Inject
    private AuthenticationFilterService authenticationFilterService;

    @Inject
    private AuthenticationService authenticationService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private UmaTokenService umaTokenService;

    @Inject
    private ExternalResourceOwnerPasswordCredentialsService externalResourceOwnerPasswordCredentialsService;

    @Inject
    private AttributeService attributeService;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private CibaRequestService cibaRequestService;

    @Inject
    private DeviceAuthorizationService deviceAuthorizationService;

    @Inject
    private ExternalUpdateTokenService externalUpdateTokenService;

    @Override // io.jans.as.server.token.ws.rs.TokenRestWebService
    public Response requestAccessToken(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, String str10, String str11, String str12, String str13, String str14, String str15, String str16, String str17, String str18, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityContext securityContext) {
        this.log.debug("Attempting to request access token: grantType = {}, code = {}, redirectUri = {}, username = {}, refreshToken = {}, clientId = {}, ExtraParams = {}, isSecure = {}, codeVerifier = {}, ticket = {}", new Object[]{str, str2, str3, str4, str8, str9, httpServletRequest.getParameterMap(), Boolean.valueOf(securityContext.isSecure()), str11, str12});
        if (StringUtils.isNotBlank(str12)) {
            return this.umaTokenService.requestRpt(str, str12, str13, str14, str15, str16, str6, httpServletRequest, httpServletResponse);
        }
        OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpServletRequest), Action.TOKEN_REQUEST);
        oAuth2AuditLog.setClientId(str9);
        oAuth2AuditLog.setUsername(str4);
        oAuth2AuditLog.setScope(str6);
        String header = httpServletRequest.getHeader("Sec-Token-Binding");
        String urlDecode = ServerUtil.urlDecode(str6);
        Response.ResponseBuilder ok = Response.ok();
        try {
            String runDPoP = runDPoP(httpServletRequest);
            try {
                this.log.debug("Starting to validate request parameters");
            } catch (Exception e) {
                ok = Response.status(CibaRequestsProcessorJob.CHUNK_SIZE);
                this.log.error(e.getMessage(), e);
            } catch (WebApplicationException e2) {
                throw e2;
            }
            if (!TokenParamsValidator.validateParams(str, str2, str3, str4, str5, urlDecode, str7, str8)) {
                this.log.trace("Failed to validate request parameters");
                return response(error(400, TokenErrorResponseType.INVALID_REQUEST, "Failed to validate request parameters"), oAuth2AuditLog);
            }
            GrantType fromString = GrantType.fromString(str);
            this.log.debug("Grant type: '{}'", fromString);
            SessionClient sessionClient = this.identity.getSessionClient();
            Client client = null;
            if (sessionClient != null) {
                client = sessionClient.getClient();
                this.log.debug("Get sessionClient: '{}'", sessionClient);
            }
            if (client == null) {
                return response(error(401, TokenErrorResponseType.INVALID_GRANT, "Unable to find client."), oAuth2AuditLog);
            }
            this.log.debug("Get client from session: '{}'", client.getClientId());
            if (client.isDisabled()) {
                return response(error(Response.Status.FORBIDDEN.getStatusCode(), TokenErrorResponseType.DISABLED_CLIENT, "Client is disabled."), oAuth2AuditLog);
            }
            Function createIdTokenTokingBindingPreprocessing = TokenBindingMessage.createIdTokenTokingBindingPreprocessing(header, client.getIdTokenTokenBindingCnf());
            SessionId sessionId = this.sessionIdService.getSessionId(httpServletRequest);
            java.util.function.Function<JsonWebResponse, Void> wrapWithSidFunction = JwrService.wrapWithSidFunction(createIdTokenTokingBindingPreprocessing, sessionId != null ? sessionId.getOutsideSid() : null);
            ExecutionContext executionContext = new ExecutionContext(httpServletRequest, httpServletResponse);
            executionContext.setCertAsPem(httpServletRequest.getHeader("X-ClientCert"));
            executionContext.setDpop(runDPoP);
            executionContext.setClient(client);
            executionContext.setDpop(runDPoP);
            executionContext.setAppConfiguration(this.appConfiguration);
            executionContext.setAttributeService(this.attributeService);
            if (fromString == GrantType.AUTHORIZATION_CODE) {
                if (!TokenParamsValidator.validateGrantType(fromString, client.getGrantTypes(), this.appConfiguration.getGrantTypesSupported())) {
                    return response(error(400, TokenErrorResponseType.INVALID_GRANT, null), oAuth2AuditLog);
                }
                this.log.debug("Attempting to find authorizationCodeGrant by clientId: '{}', code: '{}'", client.getClientId(), str2);
                AuthorizationCodeGrant authorizationCodeGrant = this.authorizationGrantList.getAuthorizationCodeGrant(str2);
                this.log.trace("AuthorizationCodeGrant : '{}'", authorizationCodeGrant);
                if (authorizationCodeGrant == null) {
                    this.log.debug("AuthorizationCodeGrant is empty by clientId: '{}', code: '{}'", client.getClientId(), str2);
                    this.grantService.removeAllByAuthorizationCode(str2);
                    return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Unable to find grant object for given code."), oAuth2AuditLog);
                }
                if (!client.getClientId().equals(authorizationCodeGrant.getClientId())) {
                    this.log.debug("AuthorizationCodeGrant is found but belongs to another client. Grant's clientId: '{}', code: '{}'", authorizationCodeGrant.getClientId(), str2);
                    this.grantService.removeAllByAuthorizationCode(str2);
                    return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Client mismatch."), oAuth2AuditLog);
                }
                validatePKCE(authorizationCodeGrant, str11, oAuth2AuditLog);
                authorizationCodeGrant.setIsCachedWithNoPersistence(false);
                authorizationCodeGrant.save();
                RefreshToken createRefreshToken = createRefreshToken(httpServletRequest, client, urlDecode, authorizationCodeGrant, runDPoP);
                String checkScopesPolicy = authorizationCodeGrant.checkScopesPolicy(urlDecode);
                executionContext.setGrant(authorizationCodeGrant);
                AccessToken createAccessToken = authorizationCodeGrant.createAccessToken(executionContext);
                IdToken idToken = null;
                if (authorizationCodeGrant.getScopes().contains(Constants.OX_AUTH_SCOPE_TYPE_OPENID)) {
                    String nonce = authorizationCodeGrant.getNonce();
                    boolean equals = Boolean.TRUE.equals(this.appConfiguration.getLegacyIdTokenClaims());
                    String idTokenTokenBindingCnf = client.getIdTokenTokenBindingCnf();
                    java.util.function.Function function = jsonWebResponse -> {
                        if (!StringUtils.isNotBlank(idTokenTokenBindingCnf) || !StringUtils.isNotBlank(authorizationCodeGrant.getTokenBindingHash())) {
                            return null;
                        }
                        TokenBindingMessage.setCnfClaim(jsonWebResponse, authorizationCodeGrant.getTokenBindingHash(), idTokenTokenBindingCnf);
                        return null;
                    };
                    ExternalUpdateTokenContext externalUpdateTokenContext = new ExternalUpdateTokenContext(httpServletRequest, authorizationCodeGrant, client, this.appConfiguration, this.attributeService);
                    executionContext.setIncludeIdTokenClaims(equals);
                    executionContext.setPreProcessing(JwrService.wrapWithSidFunction(function, sessionId != null ? sessionId.getOutsideSid() : null));
                    executionContext.setPostProcessor(this.externalUpdateTokenService.buildModifyIdTokenProcessor(externalUpdateTokenContext));
                    idToken = authorizationCodeGrant.createIdToken(nonce, authorizationCodeGrant.getAuthorizationCode(), createAccessToken, null, null, executionContext);
                }
                oAuth2AuditLog.updateOAuth2AuditLog(authorizationCodeGrant, true);
                this.grantService.removeAuthorizationCode(authorizationCodeGrant.getAuthorizationCode().getCode());
                return response(Response.ok().entity(getJSonResponse(createAccessToken, createAccessToken.getTokenType(), Integer.valueOf(createAccessToken.getExpiresIn()), createRefreshToken, checkScopesPolicy, idToken)), oAuth2AuditLog);
            }
            if (fromString == GrantType.REFRESH_TOKEN) {
                if (!TokenParamsValidator.validateGrantType(fromString, client.getGrantTypes(), this.appConfiguration.getGrantTypesSupported())) {
                    return response(error(400, TokenErrorResponseType.INVALID_GRANT, "grant_type does not belong to client."), oAuth2AuditLog);
                }
                AuthorizationGrant authorizationGrantByRefreshToken = this.authorizationGrantList.getAuthorizationGrantByRefreshToken(client.getClientId(), str8);
                if (authorizationGrantByRefreshToken == null) {
                    this.log.trace("Grant object is not found by refresh token.");
                    return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Unable to find grant object by refresh token or otherwise token type or client does not match."), oAuth2AuditLog);
                }
                RefreshToken refreshToken = authorizationGrantByRefreshToken.getRefreshToken(str8);
                if (refreshToken == null || !refreshToken.isValid()) {
                    this.log.trace("Invalid refresh token.");
                    return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Unable to find refresh token or otherwise token type or client does not match."), oAuth2AuditLog);
                }
                executionContext.setGrant(authorizationGrantByRefreshToken);
                RefreshToken refreshToken2 = null;
                if (BooleanUtils.isFalse(this.appConfiguration.getSkipRefreshTokenDuringRefreshing())) {
                    if (BooleanUtils.isTrue(this.appConfiguration.getRefreshTokenExtendLifetimeOnRotation())) {
                        refreshToken2 = createRefreshToken(httpServletRequest, client, urlDecode, authorizationGrantByRefreshToken, runDPoP);
                    } else {
                        this.log.trace("Create refresh token with fixed (not extended) lifetime taken from previous refresh token.");
                        refreshToken2 = authorizationGrantByRefreshToken.createRefreshToken(executionContext, refreshToken.getExpirationDate());
                    }
                }
                String checkScopesPolicy2 = authorizationGrantByRefreshToken.checkScopesPolicy(urlDecode);
                AccessToken createAccessToken2 = authorizationGrantByRefreshToken.createAccessToken(executionContext);
                IdToken idToken2 = null;
                if (BooleanUtils.isTrue(this.appConfiguration.getOpenidScopeBackwardCompatibility()) && authorizationGrantByRefreshToken.getScopes().contains(Constants.OX_AUTH_SCOPE_TYPE_OPENID)) {
                    boolean equals2 = Boolean.TRUE.equals(this.appConfiguration.getLegacyIdTokenClaims());
                    ExternalUpdateTokenContext externalUpdateTokenContext2 = new ExternalUpdateTokenContext(httpServletRequest, authorizationGrantByRefreshToken, client, this.appConfiguration, this.attributeService);
                    externalUpdateTokenContext2.setExecutionContext(executionContext);
                    executionContext.setIncludeIdTokenClaims(equals2);
                    executionContext.setPreProcessing(wrapWithSidFunction);
                    executionContext.setPostProcessor(this.externalUpdateTokenService.buildModifyIdTokenProcessor(externalUpdateTokenContext2));
                    idToken2 = authorizationGrantByRefreshToken.createIdToken(null, null, createAccessToken2, null, null, executionContext);
                }
                if (refreshToken2 != null && str8 != null) {
                    this.grantService.removeByCode(str8);
                }
                ok.entity(getJSonResponse(createAccessToken2, createAccessToken2.getTokenType(), Integer.valueOf(createAccessToken2.getExpiresIn()), refreshToken2, checkScopesPolicy2, idToken2));
                oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrantByRefreshToken, true);
            } else if (fromString == GrantType.CLIENT_CREDENTIALS) {
                if (!TokenParamsValidator.validateGrantType(fromString, client.getGrantTypes(), this.appConfiguration.getGrantTypesSupported())) {
                    return response(error(400, TokenErrorResponseType.INVALID_GRANT, "grant_type is not present in client."), oAuth2AuditLog);
                }
                AuthorizationGrant createClientCredentialsGrant = this.authorizationGrantList.createClientCredentialsGrant(new User(), client);
                String checkScopesPolicy3 = createClientCredentialsGrant.checkScopesPolicy(urlDecode);
                executionContext.setGrant(createClientCredentialsGrant);
                AccessToken createAccessToken3 = createClientCredentialsGrant.createAccessToken(executionContext);
                IdToken idToken3 = null;
                if (BooleanUtils.isTrue(this.appConfiguration.getOpenidScopeBackwardCompatibility()) && createClientCredentialsGrant.getScopes().contains(Constants.OX_AUTH_SCOPE_TYPE_OPENID)) {
                    boolean equals3 = Boolean.TRUE.equals(this.appConfiguration.getLegacyIdTokenClaims());
                    ExternalUpdateTokenContext externalUpdateTokenContext3 = new ExternalUpdateTokenContext(httpServletRequest, createClientCredentialsGrant, client, this.appConfiguration, this.attributeService);
                    executionContext.setIncludeIdTokenClaims(equals3);
                    executionContext.setPreProcessing(wrapWithSidFunction);
                    executionContext.setPostProcessor(this.externalUpdateTokenService.buildModifyIdTokenProcessor(externalUpdateTokenContext3));
                    idToken3 = createClientCredentialsGrant.createIdToken(null, null, null, null, null, executionContext);
                }
                oAuth2AuditLog.updateOAuth2AuditLog(createClientCredentialsGrant, true);
                ok.entity(getJSonResponse(createAccessToken3, createAccessToken3.getTokenType(), Integer.valueOf(createAccessToken3.getExpiresIn()), null, checkScopesPolicy3, idToken3));
            } else if (fromString == GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS) {
                if (!TokenParamsValidator.validateGrantType(fromString, client.getGrantTypes(), this.appConfiguration.getGrantTypesSupported())) {
                    return response(error(400, TokenErrorResponseType.INVALID_GRANT, "grant_type is not present in client."), oAuth2AuditLog);
                }
                boolean z = false;
                User user = null;
                if (this.authenticationFilterService.isEnabled()) {
                    String processAuthenticationFilters = this.authenticationFilterService.processAuthenticationFilters(httpServletRequest.getParameterMap());
                    if (StringHelper.isNotEmpty(processAuthenticationFilters)) {
                        user = this.userService.getUserByDn(processAuthenticationFilters, new String[0]);
                        z = true;
                    }
                }
                if (!z) {
                    if (this.externalResourceOwnerPasswordCredentialsService.isEnabled()) {
                        ExternalResourceOwnerPasswordCredentialsContext externalResourceOwnerPasswordCredentialsContext = new ExternalResourceOwnerPasswordCredentialsContext(executionContext);
                        externalResourceOwnerPasswordCredentialsContext.setUser(user);
                        if (this.externalResourceOwnerPasswordCredentialsService.executeExternalAuthenticate(externalResourceOwnerPasswordCredentialsContext)) {
                            this.log.trace("RO PC - User is authenticated successfully by external script.");
                            user = externalResourceOwnerPasswordCredentialsContext.getUser();
                        }
                    } else {
                        try {
                            if (this.authenticationService.authenticate(str4, str5)) {
                                user = this.authenticationService.getAuthenticatedUser();
                            }
                        } catch (AuthenticationException e3) {
                            this.log.trace("Failed to authenticate user ", new RuntimeException("User name or password is invalid"));
                        }
                    }
                }
                if (user != null) {
                    AuthorizationGrant createResourceOwnerPasswordCredentialsGrant = this.authorizationGrantList.createResourceOwnerPasswordCredentialsGrant(user, client);
                    SessionId sessionId2 = this.identity.getSessionId();
                    if (sessionId2 != null) {
                        createResourceOwnerPasswordCredentialsGrant.setAcrValues("simple_password_auth");
                        createResourceOwnerPasswordCredentialsGrant.setSessionDn(sessionId2.getDn());
                        createResourceOwnerPasswordCredentialsGrant.save();
                        sessionId2.getSessionAttributes().put(Constants.AUTHORIZED_GRANT, fromString.getValue());
                        if (!this.sessionIdService.updateSessionId(sessionId2, false, true, true)) {
                            this.log.debug("Failed to update session entry: '{}'", sessionId2.getId());
                        }
                    }
                    RefreshToken createRefreshToken2 = createRefreshToken(httpServletRequest, client, urlDecode, createResourceOwnerPasswordCredentialsGrant, null);
                    String checkScopesPolicy4 = createResourceOwnerPasswordCredentialsGrant.checkScopesPolicy(urlDecode);
                    executionContext.setGrant(createResourceOwnerPasswordCredentialsGrant);
                    AccessToken createAccessToken4 = createResourceOwnerPasswordCredentialsGrant.createAccessToken(executionContext);
                    IdToken idToken4 = null;
                    if (BooleanUtils.isTrue(this.appConfiguration.getOpenidScopeBackwardCompatibility()) && createResourceOwnerPasswordCredentialsGrant.getScopes().contains(Constants.OX_AUTH_SCOPE_TYPE_OPENID)) {
                        boolean equals4 = Boolean.TRUE.equals(this.appConfiguration.getLegacyIdTokenClaims());
                        ExternalUpdateTokenContext externalUpdateTokenContext4 = new ExternalUpdateTokenContext(httpServletRequest, createResourceOwnerPasswordCredentialsGrant, client, this.appConfiguration, this.attributeService);
                        externalUpdateTokenContext4.setExecutionContext(executionContext);
                        executionContext.setIncludeIdTokenClaims(equals4);
                        executionContext.setPreProcessing(wrapWithSidFunction);
                        executionContext.setPostProcessor(this.externalUpdateTokenService.buildModifyIdTokenProcessor(externalUpdateTokenContext4));
                        idToken4 = createResourceOwnerPasswordCredentialsGrant.createIdToken(null, null, null, null, null, executionContext);
                    }
                    oAuth2AuditLog.updateOAuth2AuditLog(createResourceOwnerPasswordCredentialsGrant, true);
                    ok.entity(getJSonResponse(createAccessToken4, createAccessToken4.getTokenType(), Integer.valueOf(createAccessToken4.getExpiresIn()), createRefreshToken2, checkScopesPolicy4, idToken4));
                } else {
                    this.log.debug("Invalid user", new RuntimeException("User is empty"));
                    ok = error(401, TokenErrorResponseType.INVALID_CLIENT, "Invalid user.");
                }
            } else if (fromString == GrantType.CIBA) {
                this.errorResponseFactory.validateComponentEnabled(ComponentType.CIBA);
                if (!TokenParamsValidator.validateGrantType(fromString, client.getGrantTypes(), this.appConfiguration.getGrantTypesSupported())) {
                    return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Grant types are invalid."), oAuth2AuditLog);
                }
                this.log.debug("Attempting to find authorizationGrant by authReqId: '{}'", str17);
                CIBAGrant cIBAGrant = this.authorizationGrantList.getCIBAGrant(str17);
                executionContext.setGrant(cIBAGrant);
                this.log.trace("AuthorizationGrant : '{}'", cIBAGrant);
                if (cIBAGrant == null) {
                    CibaRequestCacheControl cibaRequest = this.cibaRequestService.getCibaRequest(str17);
                    this.log.trace("Ciba request : '{}'", cibaRequest);
                    if (cibaRequest == null) {
                        this.log.debug("AuthorizationGrant is empty by authReqId: '{}'", str17);
                        ok = error(400, TokenErrorResponseType.EXPIRED_TOKEN, "Unable to find grant object for given auth_req_id.");
                    } else {
                        if (!cibaRequest.getClient().getClientId().equals(client.getClientId())) {
                            return response(error(400, TokenErrorResponseType.INVALID_GRANT, "The client is not authorized."), oAuth2AuditLog);
                        }
                        long time = new Date().getTime();
                        Long lastAccessControl = cibaRequest.getLastAccessControl();
                        if (lastAccessControl == null) {
                            lastAccessControl = Long.valueOf(time);
                        }
                        cibaRequest.setLastAccessControl(Long.valueOf(time));
                        this.cibaRequestService.update(cibaRequest);
                        if (cibaRequest.getStatus() == CibaRequestStatus.PENDING) {
                            if (time - lastAccessControl.longValue() > this.appConfiguration.getBackchannelAuthenticationResponseInterval() * CleanerTimer.BATCH_SIZE) {
                                this.log.debug("Access hasn't been granted yet for authReqId: '{}'", str17);
                                ok = error(400, TokenErrorResponseType.AUTHORIZATION_PENDING, "User hasn't answered yet");
                            } else {
                                this.log.debug("Slow down protection authReqId: '{}'", str17);
                                ok = error(400, TokenErrorResponseType.SLOW_DOWN, "Client is asking too fast the token.");
                            }
                        } else if (cibaRequest.getStatus() == CibaRequestStatus.DENIED) {
                            this.log.debug("The end-user denied the authorization request for authReqId: '{}'", str17);
                            ok = error(400, TokenErrorResponseType.ACCESS_DENIED, "The end-user denied the authorization request.");
                        } else if (cibaRequest.getStatus() == CibaRequestStatus.EXPIRED) {
                            this.log.debug("The authentication request has expired for authReqId: '{}'", str17);
                            ok = error(400, TokenErrorResponseType.EXPIRED_TOKEN, "The authentication request has expired");
                        }
                    }
                } else {
                    if (!cIBAGrant.getClientId().equals(client.getClientId())) {
                        return response(error(400, TokenErrorResponseType.INVALID_GRANT, "The client is not authorized."), oAuth2AuditLog);
                    }
                    if (cIBAGrant.getClient().getBackchannelTokenDeliveryMode() != BackchannelTokenDeliveryMode.PING && cIBAGrant.getClient().getBackchannelTokenDeliveryMode() != BackchannelTokenDeliveryMode.POLL) {
                        this.log.debug("Client is not using Poll flow authReqId: '{}'", str17);
                        ok = error(400, TokenErrorResponseType.UNAUTHORIZED_CLIENT, "The client is not authorized as it is configured in Push Mode");
                    } else if (cIBAGrant.isTokensDelivered()) {
                        ok = error(400, TokenErrorResponseType.INVALID_GRANT, "AuthReqId is no longer available.");
                    } else {
                        RefreshToken createRefreshToken3 = createRefreshToken(httpServletRequest, client, urlDecode, cIBAGrant, null);
                        AccessToken createAccessToken5 = cIBAGrant.createAccessToken(executionContext);
                        ExternalUpdateTokenContext externalUpdateTokenContext5 = new ExternalUpdateTokenContext(httpServletRequest, cIBAGrant, client, this.appConfiguration, this.attributeService);
                        externalUpdateTokenContext5.setExecutionContext(executionContext);
                        executionContext.setIncludeIdTokenClaims(false);
                        executionContext.setPreProcessing(wrapWithSidFunction);
                        executionContext.setPostProcessor(this.externalUpdateTokenService.buildModifyIdTokenProcessor(externalUpdateTokenContext5));
                        IdToken createIdToken = cIBAGrant.createIdToken(null, null, createAccessToken5, createRefreshToken3, null, executionContext);
                        cIBAGrant.setTokensDelivered(true);
                        cIBAGrant.save();
                        RefreshToken refreshToken3 = null;
                        if (isRefreshTokenAllowed(client, urlDecode, cIBAGrant)) {
                            refreshToken3 = createRefreshToken3;
                        }
                        ok.entity(getJSonResponse(createAccessToken5, createAccessToken5.getTokenType(), Integer.valueOf(createAccessToken5.getExpiresIn()), refreshToken3, cIBAGrant.checkScopesPolicy(urlDecode), createIdToken));
                        oAuth2AuditLog.updateOAuth2AuditLog(cIBAGrant, true);
                    }
                }
            } else if (fromString == GrantType.DEVICE_CODE) {
                return processDeviceCodeGrantType(fromString, client, str18, urlDecode, httpServletRequest, httpServletResponse, oAuth2AuditLog);
            }
            return response(ok, oAuth2AuditLog);
        } catch (InvalidJwtException | JWKException | NoSuchAlgorithmException | NoSuchProviderException e4) {
            return response(error(400, TokenErrorResponseType.INVALID_DPOP_PROOF, e4.getMessage()), oAuth2AuditLog);
        }
    }

    private void checkUser(AuthorizationGrant authorizationGrant) {
        if (this.appConfiguration.getCheckUserPresenceOnRefreshToken().booleanValue()) {
            User user = authorizationGrant.getUser();
            if (user == null || "inactive".equalsIgnoreCase(user.getStatus())) {
                this.log.trace("The user associated with this grant is not found or otherwise with status=inactive.");
                throw new WebApplicationException(error(400, TokenErrorResponseType.INVALID_GRANT, "The user associated with this grant is not found or otherwise with status=inactive.").build());
            }
        }
    }

    @Nullable
    private RefreshToken createRefreshToken(@NotNull HttpServletRequest httpServletRequest, @NotNull Client client, @NotNull String str, @NotNull AuthorizationGrant authorizationGrant, String str2) {
        if (!isRefreshTokenAllowed(client, str, authorizationGrant)) {
            return null;
        }
        checkUser(authorizationGrant);
        ExecutionContext executionContext = new ExecutionContext(httpServletRequest, null);
        executionContext.setGrant(authorizationGrant);
        executionContext.setClient(client);
        executionContext.setAttributeService(this.attributeService);
        executionContext.setAppConfiguration(this.appConfiguration);
        executionContext.setDpop(str2);
        int refreshTokenLifetimeInSeconds = this.externalUpdateTokenService.getRefreshTokenLifetimeInSeconds(new ExternalUpdateTokenContext(httpServletRequest, authorizationGrant, client, this.appConfiguration, this.attributeService));
        return refreshTokenLifetimeInSeconds > 0 ? authorizationGrant.createRefreshToken(executionContext, refreshTokenLifetimeInSeconds) : authorizationGrant.createRefreshToken(executionContext);
    }

    private Response processDeviceCodeGrantType(GrantType grantType, Client client, String str, String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth2AuditLog oAuth2AuditLog) {
        if (!TokenParamsValidator.validateGrantType(grantType, client.getGrantTypes(), this.appConfiguration.getGrantTypesSupported())) {
            return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Grant types are invalid."), oAuth2AuditLog);
        }
        this.log.debug("Attempting to find authorizationGrant by deviceCode: '{}'", str);
        DeviceCodeGrant deviceCodeGrant = this.authorizationGrantList.getDeviceCodeGrant(str);
        this.log.trace("DeviceCodeGrant : '{}'", deviceCodeGrant);
        if (deviceCodeGrant != null) {
            if (!deviceCodeGrant.getClientId().equals(client.getClientId())) {
                throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "The client is not authorized."), oAuth2AuditLog));
            }
            RefreshToken createRefreshToken = createRefreshToken(httpServletRequest, client, str2, deviceCodeGrant, null);
            ExecutionContext executionContext = new ExecutionContext(httpServletRequest, httpServletResponse);
            executionContext.setGrant(deviceCodeGrant);
            executionContext.setCertAsPem(httpServletRequest.getHeader("X-ClientCert"));
            executionContext.setClient(client);
            executionContext.setAppConfiguration(this.appConfiguration);
            executionContext.setAttributeService(this.attributeService);
            AccessToken createAccessToken = deviceCodeGrant.createAccessToken(executionContext);
            ExternalUpdateTokenContext externalUpdateTokenContext = new ExternalUpdateTokenContext(httpServletRequest, deviceCodeGrant, client, this.appConfiguration, this.attributeService);
            externalUpdateTokenContext.setExecutionContext(executionContext);
            executionContext.setIncludeIdTokenClaims(false);
            executionContext.setPreProcessing(null);
            executionContext.setPostProcessor(this.externalUpdateTokenService.buildModifyIdTokenProcessor(externalUpdateTokenContext));
            IdToken createIdToken = deviceCodeGrant.createIdToken(null, null, createAccessToken, createRefreshToken, null, executionContext);
            deviceCodeGrant.checkScopesPolicy(str2);
            this.log.info("Device authorization in token endpoint processed and return to the client, device_code: {}", deviceCodeGrant.getDeviceCode());
            oAuth2AuditLog.updateOAuth2AuditLog(deviceCodeGrant, true);
            this.grantService.removeByCode(deviceCodeGrant.getDeviceCode());
            return Response.ok().entity(getJSonResponse(createAccessToken, createAccessToken.getTokenType(), Integer.valueOf(createAccessToken.getExpiresIn()), createRefreshToken, str2, createIdToken)).build();
        }
        DeviceAuthorizationCacheControl deviceAuthzByDeviceCode = this.deviceAuthorizationService.getDeviceAuthzByDeviceCode(str);
        this.log.trace("DeviceAuthorizationCacheControl data : '{}'", deviceAuthzByDeviceCode);
        if (deviceAuthzByDeviceCode == null) {
            this.log.debug("The authentication request has expired for deviceCode: '{}'", str);
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.EXPIRED_TOKEN, "The authentication request has expired."), oAuth2AuditLog));
        }
        if (!deviceAuthzByDeviceCode.getClient().getClientId().equals(client.getClientId())) {
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "The client is not authorized."), oAuth2AuditLog));
        }
        long time = new Date().getTime();
        Long lastAccessControl = deviceAuthzByDeviceCode.getLastAccessControl();
        if (lastAccessControl == null) {
            lastAccessControl = Long.valueOf(time);
        }
        deviceAuthzByDeviceCode.setLastAccessControl(time);
        this.deviceAuthorizationService.saveInCache(deviceAuthzByDeviceCode, true, true);
        if (deviceAuthzByDeviceCode.getStatus() != DeviceAuthorizationStatus.PENDING) {
            if (deviceAuthzByDeviceCode.getStatus() == DeviceAuthorizationStatus.DENIED) {
                this.log.debug("The end-user denied the authorization request for deviceCode: '{}'", str);
                throw new WebApplicationException(response(error(400, TokenErrorResponseType.ACCESS_DENIED, "The end-user denied the authorization request."), oAuth2AuditLog));
            }
            this.log.debug("The authentication request has expired for deviceCode: '{}'", str);
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.EXPIRED_TOKEN, "The authentication request has expired"), oAuth2AuditLog));
        }
        if (time - lastAccessControl.longValue() > this.appConfiguration.getBackchannelAuthenticationResponseInterval() * CleanerTimer.BATCH_SIZE) {
            this.log.debug("Access hasn't been granted yet for deviceCode: '{}'", str);
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.AUTHORIZATION_PENDING, "User hasn't answered yet"), oAuth2AuditLog));
        }
        this.log.debug("Slow down protection deviceCode: '{}'", str);
        throw new WebApplicationException(response(error(400, TokenErrorResponseType.SLOW_DOWN, "Client is asking too fast the token."), oAuth2AuditLog));
    }

    private boolean isRefreshTokenAllowed(Client client, String str, AbstractAuthorizationGrant abstractAuthorizationGrant) {
        if (!BooleanUtils.isTrue(this.appConfiguration.getForceOfflineAccessScopeToEnableRefreshToken()) || abstractAuthorizationGrant.getScopes().contains("offline_access") || Strings.nullToEmpty(str).contains("offline_access")) {
            return Arrays.asList(client.getGrantTypes()).contains(GrantType.REFRESH_TOKEN);
        }
        return false;
    }

    private void validatePKCE(AuthorizationCodeGrant authorizationCodeGrant, String str, OAuth2AuditLog oAuth2AuditLog) {
        this.log.trace("PKCE validation, code_verifier: {}, code_challenge: {}, method: {}", new Object[]{str, authorizationCodeGrant.getCodeChallenge(), authorizationCodeGrant.getCodeChallengeMethod()});
        if (BooleanUtils.isTrue(this.appConfiguration.getRequirePkce()) && (Strings.isNullOrEmpty(str) || Strings.isNullOrEmpty(authorizationCodeGrant.getCodeChallenge()))) {
            if (this.log.isErrorEnabled()) {
                this.log.error("PKCE is required but code_challenge or code verifier is blank, grantId: {}, codeVerifier: {}, codeChallenge: {}", new Object[]{authorizationCodeGrant.getGrantId(), str, authorizationCodeGrant.getCodeChallenge()});
            }
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "PKCE check fails. Code challenge does not match to request code verifier."), oAuth2AuditLog));
        }
        if ((Strings.isNullOrEmpty(authorizationCodeGrant.getCodeChallenge()) && Strings.isNullOrEmpty(str)) || CodeVerifier.matched(authorizationCodeGrant.getCodeChallenge(), authorizationCodeGrant.getCodeChallengeMethod(), str)) {
            return;
        }
        this.log.error("PKCE check fails. Code challenge does not match to request code verifier, grantId: {}, codeVerifier: {}", authorizationCodeGrant.getGrantId(), str);
        throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "PKCE check fails. Code challenge does not match to request code verifier."), oAuth2AuditLog));
    }

    private Response response(Response.ResponseBuilder responseBuilder, OAuth2AuditLog oAuth2AuditLog) {
        responseBuilder.cacheControl(ServerUtil.cacheControl(true, false));
        responseBuilder.header("Pragma", "no-cache");
        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
        return responseBuilder.build();
    }

    private Response.ResponseBuilder error(int i, TokenErrorResponseType tokenErrorResponseType, String str) {
        return Response.status(i).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(tokenErrorResponseType, str));
    }

    private String runDPoP(HttpServletRequest httpServletRequest) throws InvalidJwtException, JWKException, NoSuchAlgorithmException, NoSuchProviderException {
        String header = httpServletRequest.getHeader("DPoP");
        if (StringUtils.isBlank(header)) {
            return null;
        }
        String jwkThumbprint = JSONWebKey.fromJSONObject(Jwt.parseOrThrow(header).getHeader().getJwk()).getJwkThumbprint();
        if (jwkThumbprint == null) {
            throw new InvalidJwtException("Invalid DPoP Proof Header. The jwk header is not valid.");
        }
        return jwkThumbprint;
    }

    public String getJSonResponse(AccessToken accessToken, TokenType tokenType, Integer num, RefreshToken refreshToken, String str, IdToken idToken) {
        JSONObject jSONObject = new JSONObject();
        try {
            jSONObject.put(StatService.ACCESS_TOKEN_KEY, accessToken.getCode());
            jSONObject.put("token_type", tokenType.toString());
            if (num != null) {
                jSONObject.put("expires_in", num);
            }
            if (refreshToken != null) {
                jSONObject.put(StatService.REFRESH_TOKEN_KEY, refreshToken.getCode());
            }
            if (str != null) {
                jSONObject.put("scope", str);
            }
            if (idToken != null) {
                jSONObject.put(StatService.ID_TOKEN_KEY, idToken.getCode());
            }
        } catch (JSONException e) {
            this.log.error(e.getMessage(), e);
        }
        return jSONObject.toString();
    }
}
