package org.keycloak.authentication.authenticators.client;

import jakarta.ws.rs.core.Response;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.ClientAuthenticationFlowContext;
import org.keycloak.keys.Attributes;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.OIDCClientSecretConfigWrapper;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.Urls;

/* loaded from: input_file:org/keycloak/authentication/authenticators/client/JWTClientSecretAuthenticator.class */
public class JWTClientSecretAuthenticator extends AbstractClientAuthenticator {
    public static final String PROVIDER_ID = "client-secret-jwt";

    public void authenticateClient(ClientAuthenticationFlowContext clientAuthenticationFlowContext) {
        JWTClientValidator jWTClientValidator = new JWTClientValidator(clientAuthenticationFlowContext);
        if (jWTClientValidator.clientAssertionParametersValidation()) {
            try {
                jWTClientValidator.readJws();
                if (jWTClientValidator.validateClient() && jWTClientValidator.validateSignatureAlgorithm()) {
                    RealmModel realm = jWTClientValidator.getRealm();
                    ClientModel client = jWTClientValidator.getClient();
                    jWTClientValidator.getJws();
                    JsonWebToken token = jWTClientValidator.getToken();
                    String clientAssertion = jWTClientValidator.getClientAssertion();
                    if (client.getSecret() == null) {
                        clientAuthenticationFlowContext.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, (Response) null);
                        return;
                    }
                    OIDCClientSecretConfigWrapper fromClientModel = OIDCClientSecretConfigWrapper.fromClientModel(client);
                    if (fromClientModel.isClientSecretExpired()) {
                        clientAuthenticationFlowContext.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, (Response) null);
                        return;
                    }
                    try {
                        boolean z = ((JsonWebToken) clientAuthenticationFlowContext.getSession().tokens().decodeClientJWT(clientAssertion, client, JsonWebToken.class)) != null;
                        if (!z && fromClientModel.hasRotatedSecret() && !fromClientModel.isClientRotatedSecretExpired()) {
                            z = ((JsonWebToken) clientAuthenticationFlowContext.getSession().tokens().decodeClientJWT(clientAssertion, fromClientModel.toRotatedClientModel(), JsonWebToken.class)) != null;
                        }
                        if (!z) {
                            throw new RuntimeException("Signature on JWT token by client secret  failed validation");
                        }
                        String realmIssuer = Urls.realmIssuer(clientAuthenticationFlowContext.getUriInfo().getBaseUri(), realm.getName());
                        String uri = OIDCLoginProtocolService.tokenUrl(clientAuthenticationFlowContext.getUriInfo().getBaseUriBuilder()).build(new Object[]{realm.getName()}).toString();
                        if (!token.hasAudience(realmIssuer) && !token.hasAudience(uri)) {
                            throw new RuntimeException("Token audience doesn't match domain. Realm issuer is '" + realmIssuer + "' but audience from token is '" + Arrays.asList(token.getAudience()).toString() + "'");
                        }
                        jWTClientValidator.validateToken();
                        jWTClientValidator.validateTokenReuse();
                        clientAuthenticationFlowContext.success();
                    } catch (RuntimeException e) {
                        throw new RuntimeException("Signature on JWT token by client secret failed validation", e.getCause() != null ? e.getCause() : e);
                    }
                }
            } catch (Exception e2) {
                ServicesLogger.LOGGER.errorValidatingAssertion(e2);
                clientAuthenticationFlowContext.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Client authentication with client secret signed JWT failed: " + e2.getMessage()));
            }
        }
    }

    public boolean isConfigurable() {
        return false;
    }

    public List<ProviderConfigProperty> getConfigPropertiesPerClient() {
        return Collections.emptyList();
    }

    public Map<String, Object> getAdapterConfiguration(ClientModel clientModel) {
        HashMap hashMap = new HashMap();
        hashMap.put("secret", clientModel.getSecret());
        String attribute = clientModel.getAttribute("token.endpoint.auth.signing.alg");
        if (attribute != null) {
            hashMap.put(Attributes.ALGORITHM_KEY, attribute);
        }
        HashMap hashMap2 = new HashMap();
        hashMap2.put("secret-jwt", hashMap);
        return hashMap2;
    }

    public Set<String> getProtocolAuthenticatorMethods(String str) {
        if (!str.equals("openid-connect")) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        hashSet.add(OIDCLoginProtocol.CLIENT_SECRET_JWT);
        return hashSet;
    }

    public boolean supportsSecret() {
        return true;
    }

    public String getId() {
        return PROVIDER_ID;
    }

    public String getDisplayType() {
        return "Signed Jwt with Client Secret";
    }

    public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
        return REQUIREMENT_CHOICES;
    }

    public String getHelpText() {
        return "Validates client based on signed JWT issued by client and signed with the Client Secret";
    }

    public List<ProviderConfigProperty> getConfigProperties() {
        return new LinkedList();
    }
}
