package io.jans.as.server.token.ws.rs;

import com.google.common.base.Function;
import io.jans.as.common.model.common.User;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.model.session.SessionId;
import io.jans.as.common.service.AttributeService;
import io.jans.as.model.authzdetails.AuthzDetails;
import io.jans.as.model.common.BackchannelTokenDeliveryMode;
import io.jans.as.model.common.FeatureFlagType;
import io.jans.as.model.common.GrantType;
import io.jans.as.model.common.TokenType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.binding.TokenBindingMessage;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.token.JsonWebResponse;
import io.jans.as.model.token.TokenErrorResponseType;
import io.jans.as.server.audit.ApplicationAuditLogger;
import io.jans.as.server.auth.DpopService;
import io.jans.as.server.authorize.ws.rs.AuthzDetailsService;
import io.jans.as.server.model.audit.Action;
import io.jans.as.server.model.audit.OAuth2AuditLog;
import io.jans.as.server.model.common.AccessToken;
import io.jans.as.server.model.common.AuthorizationCodeGrant;
import io.jans.as.server.model.common.AuthorizationGrant;
import io.jans.as.server.model.common.AuthorizationGrantList;
import io.jans.as.server.model.common.CIBAGrant;
import io.jans.as.server.model.common.CibaRequestCacheControl;
import io.jans.as.server.model.common.CibaRequestStatus;
import io.jans.as.server.model.common.ClientCredentialsGrant;
import io.jans.as.server.model.common.DeviceAuthorizationCacheControl;
import io.jans.as.server.model.common.DeviceAuthorizationStatus;
import io.jans.as.server.model.common.DeviceCodeGrant;
import io.jans.as.server.model.common.ExecutionContext;
import io.jans.as.server.model.common.IdToken;
import io.jans.as.server.model.common.RefreshToken;
import io.jans.as.server.model.common.ResourceOwnerPasswordCredentialsGrant;
import io.jans.as.server.model.config.Constants;
import io.jans.as.server.model.session.SessionClient;
import io.jans.as.server.model.token.JwrService;
import io.jans.as.server.security.Identity;
import io.jans.as.server.service.AuthenticationFilterService;
import io.jans.as.server.service.AuthenticationService;
import io.jans.as.server.service.CleanerTimer;
import io.jans.as.server.service.DeviceAuthorizationService;
import io.jans.as.server.service.GrantService;
import io.jans.as.server.service.SessionIdService;
import io.jans.as.server.service.UserService;
import io.jans.as.server.service.ciba.CibaRequestService;
import io.jans.as.server.service.ciba.CibaRequestsProcessorJob;
import io.jans.as.server.service.external.ExternalResourceOwnerPasswordCredentialsService;
import io.jans.as.server.service.external.ExternalUpdateTokenService;
import io.jans.as.server.service.external.context.ExternalResourceOwnerPasswordCredentialsContext;
import io.jans.as.server.service.external.context.ExternalUpdateTokenContext;
import io.jans.as.server.service.stat.StatService;
import io.jans.as.server.uma.service.UmaTokenService;
import io.jans.as.server.util.ServerUtil;
import io.jans.orm.exception.AuthenticationException;
import io.jans.orm.exception.operation.SearchException;
import io.jans.util.StringHelper;
import jakarta.inject.Inject;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.SecurityContext;
import java.util.Arrays;
import java.util.Date;
import java.util.HashSet;
import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang.StringUtils;
import org.jetbrains.annotations.Nullable;
import org.json.JSONException;
import org.json.JSONObject;
import org.slf4j.Logger;

@Path("/")
/* loaded from: input_file:io/jans/as/server/token/ws/rs/TokenRestWebServiceImpl.class */
public class TokenRestWebServiceImpl implements TokenRestWebService {

    @Inject
    private Logger log;

    @Inject
    private Identity identity;

    @Inject
    private ApplicationAuditLogger applicationAuditLogger;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private UserService userService;

    @Inject
    private GrantService grantService;

    @Inject
    private AuthenticationFilterService authenticationFilterService;

    @Inject
    private AuthenticationService authenticationService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private UmaTokenService umaTokenService;

    @Inject
    private ExternalResourceOwnerPasswordCredentialsService externalResourceOwnerPasswordCredentialsService;

    @Inject
    private AttributeService attributeService;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private CibaRequestService cibaRequestService;

    @Inject
    private DeviceAuthorizationService deviceAuthorizationService;

    @Inject
    private ExternalUpdateTokenService externalUpdateTokenService;

    @Inject
    private TokenRestWebServiceValidator tokenRestWebServiceValidator;

    @Inject
    private TokenExchangeService tokenExchangeService;

    @Inject
    private TokenCreatorService tokenCreatorService;

    @Inject
    private StatService statService;

    @Inject
    private DpopService dPoPService;

    @Inject
    private AuthzDetailsService authzDetailsService;

    @Inject
    private TxTokenService txTokenService;

    @Override // io.jans.as.server.token.ws.rs.TokenRestWebService
    public Response requestAccessToken(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, String str10, String str11, String str12, String str13, String str14, String str15, String str16, String str17, String str18, String str19, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityContext securityContext) {
        this.log.debug("Attempting to request access token: grantType = {}, code = {}, redirectUri = {}, username = {}, refreshToken = {}, clientId = {}, ExtraParams = {}, isSecure = {}, codeVerifier = {}, ticket = {}, authorizationDetails = {}", new Object[]{str, str2, str3, str4, str9, str10, ServerUtil.prepareForLogs(httpServletRequest.getParameterMap()), Boolean.valueOf(securityContext.isSecure()), str12, str13, str7});
        if (StringUtils.isNotBlank(str13)) {
            return this.umaTokenService.requestRpt(str, str13, str14, str15, str16, str17, str6, httpServletRequest, httpServletResponse);
        }
        OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpServletRequest), Action.TOKEN_REQUEST);
        oAuth2AuditLog.setClientId(str10);
        oAuth2AuditLog.setUsername(str4);
        oAuth2AuditLog.setScope(str6);
        String header = httpServletRequest.getHeader("Sec-Token-Binding");
        String urlDecode = ServerUtil.urlDecode(str6);
        try {
            this.tokenRestWebServiceValidator.validateParams(str, str2, str3, str9, oAuth2AuditLog);
            GrantType fromString = GrantType.fromString(str);
            this.log.debug("Grant type: '{}'", fromString);
            Client validateClient = this.tokenRestWebServiceValidator.validateClient(getClient(), oAuth2AuditLog);
            this.tokenRestWebServiceValidator.validateGrantType(fromString, validateClient, oAuth2AuditLog);
            String dPoPJwkThumbprint = this.dPoPService.getDPoPJwkThumbprint(httpServletRequest, validateClient, oAuth2AuditLog);
            Function createIdTokenTokingBindingPreprocessing = TokenBindingMessage.createIdTokenTokingBindingPreprocessing(header, validateClient.getIdTokenTokenBindingCnf());
            SessionId sessionId = this.sessionIdService.getSessionId(httpServletRequest);
            java.util.function.Function<JsonWebResponse, Void> wrapWithSidFunction = JwrService.wrapWithSidFunction(createIdTokenTokingBindingPreprocessing, sessionId != null ? sessionId.getOutsideSid() : null);
            ExecutionContext executionContext = new ExecutionContext(httpServletRequest, httpServletResponse);
            executionContext.setCertAsPem(httpServletRequest.getHeader("X-ClientCert"));
            executionContext.setDpop(dPoPJwkThumbprint);
            executionContext.setClient(validateClient);
            executionContext.setAppConfiguration(this.appConfiguration);
            executionContext.setAttributeService(this.attributeService);
            executionContext.setAuditLog(oAuth2AuditLog);
            executionContext.setScopes(StringUtils.isNotBlank(urlDecode) ? new HashSet(Arrays.asList(urlDecode.split(" "))) : new HashSet());
            executionContext.setAuthzDetails(this.authzDetailsService.validateAuthorizationDetails(str7, executionContext));
            if (this.txTokenService.isTxTokenFlow(httpServletRequest)) {
                return this.txTokenService.processTxToken(executionContext);
            }
            if (fromString == GrantType.AUTHORIZATION_CODE) {
                return processAuthorizationCode(str2, urlDecode, str12, sessionId, executionContext);
            }
            if (fromString == GrantType.REFRESH_TOKEN) {
                return processRefreshTokenGrant(urlDecode, str9, wrapWithSidFunction, executionContext);
            }
            if (fromString == GrantType.CLIENT_CREDENTIALS) {
                return processClientGredentials(urlDecode, httpServletRequest, oAuth2AuditLog, validateClient, wrapWithSidFunction, executionContext);
            }
            if (fromString == GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS) {
                return processROPC(str4, str5, urlDecode, fromString, wrapWithSidFunction, executionContext);
            }
            if (fromString == GrantType.CIBA) {
                return processCIBA(urlDecode, str18, wrapWithSidFunction, executionContext);
            }
            if (fromString == GrantType.DEVICE_CODE) {
                return processDeviceCodeGrantType(executionContext, str19, urlDecode);
            }
            if (fromString == GrantType.TOKEN_EXCHANGE) {
                return response(Response.ok().entity(this.tokenExchangeService.processTokenExchange(urlDecode, wrapWithSidFunction, executionContext).toString()), oAuth2AuditLog);
            }
            throw new WebApplicationException(this.tokenRestWebServiceValidator.error(400, TokenErrorResponseType.UNSUPPORTED_GRANT_TYPE, "Unsupported Grant Type.").build());
        } catch (WebApplicationException e) {
            throw e;
        } catch (Exception e2) {
            this.log.error(e2.getMessage(), e2);
            return response(Response.status(CibaRequestsProcessorJob.CHUNK_SIZE), oAuth2AuditLog);
        }
    }

    private Response processROPC(String str, String str2, String str3, GrantType grantType, java.util.function.Function<JsonWebResponse, Void> function, ExecutionContext executionContext) throws SearchException {
        boolean z = false;
        User user = null;
        if (this.authenticationFilterService.isEnabled()) {
            String processAuthenticationFilters = this.authenticationFilterService.processAuthenticationFilters(executionContext.getHttpRequest().getParameterMap());
            if (StringHelper.isNotEmpty(processAuthenticationFilters)) {
                user = this.userService.getUserByDn(processAuthenticationFilters, new String[0]);
                z = true;
            }
        }
        if (!z) {
            user = authenticateUser(str, str2, executionContext, user);
        }
        this.tokenRestWebServiceValidator.validateUser(user, executionContext.getAuditLog());
        ResourceOwnerPasswordCredentialsGrant createResourceOwnerPasswordCredentialsGrant = this.authorizationGrantList.createResourceOwnerPasswordCredentialsGrant(user, executionContext.getClient());
        executionContext.setGrant(createResourceOwnerPasswordCredentialsGrant);
        SessionId sessionId = this.identity.getSessionId();
        if (sessionId != null) {
            createResourceOwnerPasswordCredentialsGrant.setAcrValues("simple_password_auth");
            createResourceOwnerPasswordCredentialsGrant.setSessionDn(sessionId.getDn());
            createResourceOwnerPasswordCredentialsGrant.save();
            sessionId.getSessionAttributes().put(Constants.AUTHORIZED_GRANT, grantType.getValue());
            if (!this.sessionIdService.updateSessionId(sessionId, false, true, true)) {
                this.log.debug("Failed to update session entry: '{}'", sessionId.getId());
            }
        }
        RefreshToken createRefreshToken = this.tokenCreatorService.createRefreshToken(executionContext, str3);
        String checkScopesPolicy = createResourceOwnerPasswordCredentialsGrant.checkScopesPolicy(str3);
        AuthzDetails checkAuthzDetailsAndSave = this.authzDetailsService.checkAuthzDetailsAndSave(executionContext.getAuthzDetails(), createResourceOwnerPasswordCredentialsGrant);
        AccessToken createAccessToken = createResourceOwnerPasswordCredentialsGrant.createAccessToken(executionContext);
        IdToken idToken = null;
        if (BooleanUtils.isTrue(this.appConfiguration.getOpenidScopeBackwardCompatibility()) && createResourceOwnerPasswordCredentialsGrant.getScopes().contains(Constants.OX_AUTH_SCOPE_TYPE_OPENID)) {
            boolean equals = Boolean.TRUE.equals(this.appConfiguration.getLegacyIdTokenClaims());
            ExternalUpdateTokenContext externalUpdateTokenContext = new ExternalUpdateTokenContext(executionContext.getHttpRequest(), createResourceOwnerPasswordCredentialsGrant, executionContext.getClient(), this.appConfiguration, this.attributeService);
            externalUpdateTokenContext.setExecutionContext(executionContext);
            executionContext.setIncludeIdTokenClaims(equals);
            executionContext.setPreProcessing(function);
            executionContext.setPostProcessor(this.externalUpdateTokenService.buildModifyIdTokenProcessor(externalUpdateTokenContext));
            idToken = createResourceOwnerPasswordCredentialsGrant.createIdToken(null, null, null, null, null, executionContext);
        }
        executionContext.getAuditLog().updateOAuth2AuditLog(createResourceOwnerPasswordCredentialsGrant, true);
        return response(Response.ok().entity(getJSonResponse(createAccessToken, createAccessToken.getTokenType(), Integer.valueOf(createAccessToken.getExpiresIn()), createRefreshToken, checkScopesPolicy, idToken, checkAuthzDetailsAndSave)), executionContext.getAuditLog());
    }

    private Response processClientGredentials(String str, HttpServletRequest httpServletRequest, OAuth2AuditLog oAuth2AuditLog, Client client, java.util.function.Function<JsonWebResponse, Void> function, ExecutionContext executionContext) {
        ClientCredentialsGrant createClientCredentialsGrant = this.authorizationGrantList.createClientCredentialsGrant(new User(), client);
        String checkScopesPolicy = createClientCredentialsGrant.checkScopesPolicy(str);
        AuthzDetails checkAuthzDetailsAndSave = this.authzDetailsService.checkAuthzDetailsAndSave(executionContext.getAuthzDetails(), createClientCredentialsGrant);
        executionContext.setGrant(createClientCredentialsGrant);
        AccessToken createAccessToken = createClientCredentialsGrant.createAccessToken(executionContext);
        IdToken idToken = null;
        if (BooleanUtils.isTrue(this.appConfiguration.getOpenidScopeBackwardCompatibility()) && createClientCredentialsGrant.getScopes().contains(Constants.OX_AUTH_SCOPE_TYPE_OPENID)) {
            boolean equals = Boolean.TRUE.equals(this.appConfiguration.getLegacyIdTokenClaims());
            ExternalUpdateTokenContext externalUpdateTokenContext = new ExternalUpdateTokenContext(httpServletRequest, createClientCredentialsGrant, client, this.appConfiguration, this.attributeService);
            executionContext.setIncludeIdTokenClaims(equals);
            executionContext.setPreProcessing(function);
            executionContext.setPostProcessor(this.externalUpdateTokenService.buildModifyIdTokenProcessor(externalUpdateTokenContext));
            idToken = createClientCredentialsGrant.createIdToken(null, null, null, null, null, executionContext);
        }
        oAuth2AuditLog.updateOAuth2AuditLog(createClientCredentialsGrant, true);
        return response(Response.ok().entity(getJSonResponse(createAccessToken, createAccessToken.getTokenType(), Integer.valueOf(createAccessToken.getExpiresIn()), null, checkScopesPolicy, idToken, checkAuthzDetailsAndSave)), oAuth2AuditLog);
    }

    private Response processRefreshTokenGrant(String str, String str2, java.util.function.Function<JsonWebResponse, Void> function, ExecutionContext executionContext) {
        Client client = executionContext.getClient();
        OAuth2AuditLog auditLog = executionContext.getAuditLog();
        AuthorizationGrant authorizationGrantByRefreshToken = this.authorizationGrantList.getAuthorizationGrantByRefreshToken(client.getClientId(), str2);
        this.tokenRestWebServiceValidator.validateGrant(authorizationGrantByRefreshToken, client, str2, auditLog);
        RefreshToken refreshToken = authorizationGrantByRefreshToken.getRefreshToken(str2);
        this.tokenRestWebServiceValidator.validateRefreshToken(refreshToken, auditLog);
        executionContext.setGrant(authorizationGrantByRefreshToken);
        RefreshToken refreshToken2 = null;
        if (BooleanUtils.isFalse(this.appConfiguration.getSkipRefreshTokenDuringRefreshing())) {
            if (BooleanUtils.isTrue(this.appConfiguration.getRefreshTokenExtendLifetimeOnRotation())) {
                refreshToken2 = this.tokenCreatorService.createRefreshToken(executionContext, str);
            } else {
                this.log.trace("Create refresh token with fixed (not extended) lifetime taken from previous refresh token.");
                refreshToken2 = authorizationGrantByRefreshToken.createRefreshToken(executionContext, refreshToken.getExpirationDate());
            }
        }
        authorizationGrantByRefreshToken.checkScopesPolicy(str);
        String scopesAsString = authorizationGrantByRefreshToken.getScopesAsString();
        AuthzDetails checkAuthzDetailsAndSave = this.authzDetailsService.checkAuthzDetailsAndSave(executionContext.getAuthzDetails(), authorizationGrantByRefreshToken);
        AccessToken createAccessToken = authorizationGrantByRefreshToken.createAccessToken(executionContext);
        IdToken idToken = null;
        if (BooleanUtils.isTrue(this.appConfiguration.getOpenidScopeBackwardCompatibility()) && authorizationGrantByRefreshToken.getScopes().contains(Constants.OX_AUTH_SCOPE_TYPE_OPENID)) {
            boolean equals = Boolean.TRUE.equals(this.appConfiguration.getLegacyIdTokenClaims());
            ExternalUpdateTokenContext externalUpdateTokenContext = new ExternalUpdateTokenContext(executionContext.getHttpRequest(), authorizationGrantByRefreshToken, client, this.appConfiguration, this.attributeService);
            externalUpdateTokenContext.setExecutionContext(executionContext);
            executionContext.setIncludeIdTokenClaims(equals);
            executionContext.setPreProcessing(function);
            executionContext.setPostProcessor(this.externalUpdateTokenService.buildModifyIdTokenProcessor(externalUpdateTokenContext));
            idToken = authorizationGrantByRefreshToken.createIdToken(null, null, createAccessToken, null, null, executionContext);
        }
        if (refreshToken2 != null && str2 != null) {
            this.grantService.removeByCode(str2);
        }
        this.tokenExchangeService.rotateDeviceSecretOnRefreshToken(executionContext.getHttpRequest(), authorizationGrantByRefreshToken, scopesAsString);
        this.statService.reportActiveUser(authorizationGrantByRefreshToken.getUserId());
        auditLog.updateOAuth2AuditLog(authorizationGrantByRefreshToken, true);
        return response(Response.ok().entity(getJSonResponse(createAccessToken, createAccessToken.getTokenType(), Integer.valueOf(createAccessToken.getExpiresIn()), refreshToken2, scopesAsString, idToken, checkAuthzDetailsAndSave)), auditLog);
    }

    private Response processAuthorizationCode(String str, String str2, String str3, SessionId sessionId, ExecutionContext executionContext) {
        Client client = executionContext.getClient();
        this.log.debug("Attempting to find authorizationCodeGrant by clientId: '{}', code: '{}'", client.getClientId(), str);
        AuthorizationCodeGrant authorizationCodeGrant = this.authorizationGrantList.getAuthorizationCodeGrant(str);
        executionContext.setGrant(authorizationCodeGrant);
        this.log.trace("AuthorizationCodeGrant : '{}'", authorizationCodeGrant);
        this.tokenRestWebServiceValidator.validateGrant(authorizationCodeGrant, client, str, executionContext.getAuditLog(), authorizationGrant -> {
            this.grantService.removeAllByAuthorizationCode(str);
        });
        this.tokenRestWebServiceValidator.validatePKCE(authorizationCodeGrant, str3, executionContext.getAuditLog());
        this.dPoPService.validateDpopThumprint(authorizationCodeGrant.getDpopJkt(), executionContext.getDpop());
        authorizationCodeGrant.setIsCachedWithNoPersistence(false);
        authorizationCodeGrant.save();
        RefreshToken createRefreshToken = this.tokenCreatorService.createRefreshToken(executionContext, str2);
        String checkScopesPolicy = authorizationCodeGrant.checkScopesPolicy(str2);
        AuthzDetails checkAuthzDetailsAndSave = this.authzDetailsService.checkAuthzDetailsAndSave(executionContext.getAuthzDetails(), authorizationCodeGrant);
        AccessToken createAccessToken = authorizationCodeGrant.createAccessToken(executionContext);
        String createNewDeviceSecret = this.tokenExchangeService.createNewDeviceSecret(authorizationCodeGrant.getSessionDn(), client, authorizationCodeGrant.getScopesAsString());
        IdToken idToken = null;
        if (authorizationCodeGrant.getScopes().contains(Constants.OX_AUTH_SCOPE_TYPE_OPENID)) {
            String nonce = authorizationCodeGrant.getNonce();
            boolean equals = Boolean.TRUE.equals(this.appConfiguration.getLegacyIdTokenClaims());
            String idTokenTokenBindingCnf = client.getIdTokenTokenBindingCnf();
            java.util.function.Function function = jsonWebResponse -> {
                if (!StringUtils.isNotBlank(idTokenTokenBindingCnf) || !StringUtils.isNotBlank(authorizationCodeGrant.getTokenBindingHash())) {
                    return null;
                }
                TokenBindingMessage.setCnfClaim(jsonWebResponse, authorizationCodeGrant.getTokenBindingHash(), idTokenTokenBindingCnf);
                return null;
            };
            ExternalUpdateTokenContext externalUpdateTokenContext = new ExternalUpdateTokenContext(executionContext.getHttpRequest(), authorizationCodeGrant, client, this.appConfiguration, this.attributeService);
            executionContext.setDeviceSecret(createNewDeviceSecret);
            executionContext.setIncludeIdTokenClaims(equals);
            executionContext.setPreProcessing(JwrService.wrapWithSidFunction(function, sessionId != null ? sessionId.getOutsideSid() : null));
            executionContext.setPostProcessor(this.externalUpdateTokenService.buildModifyIdTokenProcessor(externalUpdateTokenContext));
            idToken = authorizationCodeGrant.createIdToken(nonce, authorizationCodeGrant.getAuthorizationCode(), createAccessToken, null, null, executionContext);
        }
        executionContext.getAuditLog().updateOAuth2AuditLog(authorizationCodeGrant, true);
        this.grantService.removeAuthorizationCode(authorizationCodeGrant.getAuthorizationCode().getCode());
        JSONObject jSONObject = new JSONObject();
        try {
            fillJsonObject(jSONObject, createAccessToken, createAccessToken.getTokenType(), Integer.valueOf(createAccessToken.getExpiresIn()), createRefreshToken, checkScopesPolicy, idToken, checkAuthzDetailsAndSave);
            if (StringUtils.isNotBlank(createNewDeviceSecret)) {
                jSONObject.put("device_token", createNewDeviceSecret);
            }
        } catch (JSONException e) {
            this.log.error(e.getMessage(), e);
        }
        return response(Response.ok().entity(jSONObject.toString()), executionContext.getAuditLog());
    }

    @Nullable
    private Client getClient() {
        SessionClient sessionClient = this.identity.getSessionClient();
        Client client = null;
        if (sessionClient != null) {
            client = sessionClient.getClient();
            this.log.debug("Get sessionClient: '{}'", sessionClient);
        }
        return client;
    }

    private User authenticateUser(String str, String str2, ExecutionContext executionContext, User user) {
        if (this.externalResourceOwnerPasswordCredentialsService.isEnabled()) {
            ExternalResourceOwnerPasswordCredentialsContext externalResourceOwnerPasswordCredentialsContext = new ExternalResourceOwnerPasswordCredentialsContext(executionContext);
            externalResourceOwnerPasswordCredentialsContext.setUser(user);
            if (this.externalResourceOwnerPasswordCredentialsService.executeExternalAuthenticate(externalResourceOwnerPasswordCredentialsContext)) {
                this.log.trace("RO PC - User is authenticated successfully by external script.");
                user = externalResourceOwnerPasswordCredentialsContext.getUser();
            }
        } else {
            try {
                if (this.authenticationService.authenticate(str, str2)) {
                    user = this.authenticationService.getAuthenticatedUser();
                }
            } catch (AuthenticationException e) {
                this.log.trace("Failed to authenticate user ", new RuntimeException("User name or password is invalid"));
            }
        }
        return user;
    }

    private Response processDeviceCodeGrantType(ExecutionContext executionContext, String str, String str2) {
        this.log.debug("Attempting to find authorizationGrant by deviceCode: '{}'", str);
        Client client = executionContext.getClient();
        DeviceCodeGrant deviceCodeGrant = this.authorizationGrantList.getDeviceCodeGrant(str);
        executionContext.setGrant(deviceCodeGrant);
        this.log.trace("DeviceCodeGrant : '{}'", deviceCodeGrant);
        if (deviceCodeGrant != null) {
            if (!deviceCodeGrant.getClientId().equals(client.getClientId())) {
                throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "The client is not authorized."), executionContext.getAuditLog()));
            }
            RefreshToken createRefreshToken = this.tokenCreatorService.createRefreshToken(executionContext, str2);
            AccessToken createAccessToken = deviceCodeGrant.createAccessToken(executionContext);
            ExternalUpdateTokenContext externalUpdateTokenContext = new ExternalUpdateTokenContext(executionContext.getHttpRequest(), deviceCodeGrant, client, this.appConfiguration, this.attributeService);
            externalUpdateTokenContext.setExecutionContext(executionContext);
            executionContext.setIncludeIdTokenClaims(Boolean.TRUE.equals(this.appConfiguration.getLegacyIdTokenClaims()));
            executionContext.setPreProcessing(null);
            executionContext.setPostProcessor(this.externalUpdateTokenService.buildModifyIdTokenProcessor(externalUpdateTokenContext));
            IdToken createIdToken = deviceCodeGrant.createIdToken(null, null, createAccessToken, createRefreshToken, null, executionContext);
            deviceCodeGrant.checkScopesPolicy(str2);
            AuthzDetails checkAuthzDetailsAndSave = this.authzDetailsService.checkAuthzDetailsAndSave(executionContext.getAuthzDetails(), deviceCodeGrant);
            this.log.info("Device authorization in token endpoint processed and return to the client, device_code: {}", deviceCodeGrant.getDeviceCode());
            executionContext.getAuditLog().updateOAuth2AuditLog(deviceCodeGrant, true);
            this.grantService.removeByCode(deviceCodeGrant.getDeviceCode());
            return Response.ok().entity(getJSonResponse(createAccessToken, createAccessToken.getTokenType(), Integer.valueOf(createAccessToken.getExpiresIn()), createRefreshToken, str2, createIdToken, checkAuthzDetailsAndSave)).build();
        }
        DeviceAuthorizationCacheControl deviceAuthzByDeviceCode = this.deviceAuthorizationService.getDeviceAuthzByDeviceCode(str);
        this.log.trace("DeviceAuthorizationCacheControl data : '{}'", deviceAuthzByDeviceCode);
        this.tokenRestWebServiceValidator.validateDeviceAuthorization(client, str, deviceAuthzByDeviceCode, executionContext.getAuditLog());
        long time = new Date().getTime();
        Long lastAccessControl = deviceAuthzByDeviceCode.getLastAccessControl();
        if (lastAccessControl == null) {
            lastAccessControl = Long.valueOf(time);
        }
        deviceAuthzByDeviceCode.setLastAccessControl(time);
        this.deviceAuthorizationService.saveInCache(deviceAuthzByDeviceCode, true, true);
        if (deviceAuthzByDeviceCode.getStatus() != DeviceAuthorizationStatus.PENDING) {
            if (deviceAuthzByDeviceCode.getStatus() == DeviceAuthorizationStatus.DENIED) {
                this.log.debug("The end-user denied the authorization request for deviceCode: '{}'", str);
                throw new WebApplicationException(response(error(400, TokenErrorResponseType.ACCESS_DENIED, "The end-user denied the authorization request."), executionContext.getAuditLog()));
            }
            this.log.debug("The authentication request has expired for deviceCode: '{}'", str);
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.EXPIRED_TOKEN, "The authentication request has expired"), executionContext.getAuditLog()));
        }
        if (time - lastAccessControl.longValue() > this.appConfiguration.getBackchannelAuthenticationResponseInterval() * CleanerTimer.BATCH_SIZE) {
            this.log.debug("Access hasn't been granted yet for deviceCode: '{}'", str);
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.AUTHORIZATION_PENDING, "User hasn't answered yet"), executionContext.getAuditLog()));
        }
        this.log.debug("Slow down protection deviceCode: '{}'", str);
        throw new WebApplicationException(response(error(400, TokenErrorResponseType.SLOW_DOWN, "Client is asking too fast the token."), executionContext.getAuditLog()));
    }

    private Response response(Response.ResponseBuilder responseBuilder, OAuth2AuditLog oAuth2AuditLog) {
        responseBuilder.cacheControl(ServerUtil.cacheControl(true, false));
        responseBuilder.header(DpopService.PRAGMA, DpopService.NO_CACHE);
        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
        return responseBuilder.build();
    }

    private Response.ResponseBuilder error(int i, TokenErrorResponseType tokenErrorResponseType, String str) {
        return Response.status(i).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(tokenErrorResponseType, str));
    }

    public String getJSonResponse(AccessToken accessToken, TokenType tokenType, Integer num, RefreshToken refreshToken, String str, IdToken idToken, AuthzDetails authzDetails) {
        JSONObject jSONObject = new JSONObject();
        try {
            fillJsonObject(jSONObject, accessToken, tokenType, num, refreshToken, str, idToken, authzDetails);
        } catch (JSONException e) {
            this.log.error(e.getMessage(), e);
        }
        return jSONObject.toString();
    }

    public static void fillJsonObject(JSONObject jSONObject, AccessToken accessToken, TokenType tokenType, Integer num, RefreshToken refreshToken, String str, IdToken idToken, AuthzDetails authzDetails) {
        jSONObject.put(StatService.ACCESS_TOKEN_KEY, accessToken.getCode());
        jSONObject.put("token_type", tokenType.toString());
        if (num != null) {
            jSONObject.put("expires_in", num);
        }
        if (refreshToken != null) {
            jSONObject.put(StatService.REFRESH_TOKEN_KEY, refreshToken.getCode());
        }
        if (str != null) {
            jSONObject.put("scope", str);
        }
        if (idToken != null) {
            jSONObject.put(StatService.ID_TOKEN_KEY, idToken.getCode());
        }
        if (authzDetails == null || authzDetails.getDetails() == null || authzDetails.getDetails().isEmpty()) {
            return;
        }
        jSONObject.put("authorization_details", authzDetails.asJsonArray());
    }

    private Response processCIBA(String str, String str2, java.util.function.Function<JsonWebResponse, Void> function, ExecutionContext executionContext) {
        this.errorResponseFactory.validateFeatureEnabled(FeatureFlagType.CIBA);
        this.log.debug("Attempting to find authorizationGrant by authReqId: '{}'", str2);
        CIBAGrant cIBAGrant = this.authorizationGrantList.getCIBAGrant(str2);
        executionContext.setGrant(cIBAGrant);
        this.log.trace("AuthorizationGrant : '{}'", cIBAGrant);
        Client client = executionContext.getClient();
        if (cIBAGrant == null) {
            return processCIBAIfGrantIsNull(str2, executionContext);
        }
        this.tokenRestWebServiceValidator.validateGrant(cIBAGrant, client, str2, executionContext.getAuditLog());
        if (cIBAGrant.getClient().getBackchannelTokenDeliveryMode() != BackchannelTokenDeliveryMode.PING && cIBAGrant.getClient().getBackchannelTokenDeliveryMode() != BackchannelTokenDeliveryMode.POLL) {
            this.log.debug("Client is not using Poll flow authReqId: '{}'", str2);
            return response(error(400, TokenErrorResponseType.UNAUTHORIZED_CLIENT, "The client is not authorized as it is configured in Push Mode"), executionContext.getAuditLog());
        }
        if (cIBAGrant.isTokensDelivered()) {
            return response(error(400, TokenErrorResponseType.INVALID_GRANT, "AuthReqId is no longer available."), executionContext.getAuditLog());
        }
        RefreshToken createRefreshToken = this.tokenCreatorService.createRefreshToken(executionContext, str);
        AccessToken createAccessToken = cIBAGrant.createAccessToken(executionContext);
        ExternalUpdateTokenContext externalUpdateTokenContext = new ExternalUpdateTokenContext(executionContext.getHttpRequest(), cIBAGrant, client, this.appConfiguration, this.attributeService);
        externalUpdateTokenContext.setExecutionContext(executionContext);
        executionContext.setIncludeIdTokenClaims(Boolean.TRUE.equals(this.appConfiguration.getLegacyIdTokenClaims()));
        executionContext.setPreProcessing(function);
        executionContext.setPostProcessor(this.externalUpdateTokenService.buildModifyIdTokenProcessor(externalUpdateTokenContext));
        IdToken createIdToken = cIBAGrant.createIdToken(null, null, createAccessToken, createRefreshToken, null, executionContext);
        cIBAGrant.setTokensDelivered(true);
        cIBAGrant.save();
        RefreshToken refreshToken = null;
        if (this.tokenCreatorService.isRefreshTokenAllowed(client, str, cIBAGrant)) {
            refreshToken = createRefreshToken;
        }
        String checkScopesPolicy = cIBAGrant.checkScopesPolicy(str);
        AuthzDetails checkAuthzDetailsAndSave = this.authzDetailsService.checkAuthzDetailsAndSave(executionContext.getAuthzDetails(), cIBAGrant);
        executionContext.getAuditLog().updateOAuth2AuditLog(cIBAGrant, true);
        return response(Response.ok().entity(getJSonResponse(createAccessToken, createAccessToken.getTokenType(), Integer.valueOf(createAccessToken.getExpiresIn()), refreshToken, checkScopesPolicy, createIdToken, checkAuthzDetailsAndSave)), executionContext.getAuditLog());
    }

    private Response processCIBAIfGrantIsNull(String str, ExecutionContext executionContext) {
        CibaRequestCacheControl cibaRequest = this.cibaRequestService.getCibaRequest(str);
        this.log.trace("Ciba request : '{}'", cibaRequest);
        if (cibaRequest == null) {
            this.log.debug("AuthorizationGrant is empty by authReqId: '{}'", str);
            return response(error(400, TokenErrorResponseType.EXPIRED_TOKEN, "Unable to find grant object for given auth_req_id."), executionContext.getAuditLog());
        }
        if (!cibaRequest.getClient().getClientId().equals(executionContext.getClient().getClientId())) {
            return response(error(400, TokenErrorResponseType.INVALID_GRANT, "The client is not authorized."), executionContext.getAuditLog());
        }
        long time = new Date().getTime();
        Long lastAccessControl = cibaRequest.getLastAccessControl();
        if (lastAccessControl == null) {
            lastAccessControl = Long.valueOf(time);
        }
        cibaRequest.setLastAccessControl(Long.valueOf(time));
        this.cibaRequestService.update(cibaRequest);
        if (cibaRequest.getStatus() == CibaRequestStatus.PENDING) {
            if (time - lastAccessControl.longValue() > this.appConfiguration.getBackchannelAuthenticationResponseInterval() * CleanerTimer.BATCH_SIZE) {
                this.log.debug("Access hasn't been granted yet for authReqId: '{}'", str);
                return response(error(400, TokenErrorResponseType.AUTHORIZATION_PENDING, "User hasn't answered yet"), executionContext.getAuditLog());
            }
            this.log.debug("Slow down protection authReqId: '{}'", str);
            return response(error(400, TokenErrorResponseType.SLOW_DOWN, "Client is asking too fast the token."), executionContext.getAuditLog());
        }
        if (cibaRequest.getStatus() == CibaRequestStatus.DENIED) {
            this.log.debug("The end-user denied the authorization request for authReqId: '{}'", str);
            return response(error(400, TokenErrorResponseType.ACCESS_DENIED, "The end-user denied the authorization request."), executionContext.getAuditLog());
        }
        if (cibaRequest.getStatus() != CibaRequestStatus.EXPIRED) {
            return response(error(400, TokenErrorResponseType.EXPIRED_TOKEN, "Unable to find grant object for given auth_req_id."), executionContext.getAuditLog());
        }
        this.log.debug("The authentication request has expired for authReqId: '{}'", str);
        return response(error(400, TokenErrorResponseType.EXPIRED_TOKEN, "The authentication request has expired"), executionContext.getAuditLog());
    }
}
