package io.helidon.security.providers.oidc;

import io.helidon.common.Errors;
import io.helidon.common.LazyValue;
import io.helidon.common.Severity;
import io.helidon.common.parameters.Parameters;
import io.helidon.http.HeaderNames;
import io.helidon.http.HeaderValues;
import io.helidon.http.Status;
import io.helidon.security.AuthenticationResponse;
import io.helidon.security.EndpointConfig;
import io.helidon.security.Grant;
import io.helidon.security.Principal;
import io.helidon.security.ProviderRequest;
import io.helidon.security.Role;
import io.helidon.security.SecurityEnvironment;
import io.helidon.security.SecurityException;
import io.helidon.security.SecurityLevel;
import io.helidon.security.SecurityResponse;
import io.helidon.security.Subject;
import io.helidon.security.abac.scope.ScopeValidator;
import io.helidon.security.jwt.Jwt;
import io.helidon.security.jwt.JwtException;
import io.helidon.security.jwt.JwtUtil;
import io.helidon.security.jwt.JwtValidator;
import io.helidon.security.jwt.SignedJwt;
import io.helidon.security.providers.common.TokenCredential;
import io.helidon.security.providers.oidc.common.OidcConfig;
import io.helidon.security.providers.oidc.common.Tenant;
import io.helidon.security.providers.oidc.common.TenantConfig;
import io.helidon.security.util.TokenHandler;
import io.helidon.webclient.api.HttpClientRequest;
import io.helidon.webclient.api.HttpClientResponse;
import jakarta.json.JsonObject;
import java.io.StringReader;
import java.lang.System;
import java.net.URI;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.function.BiConsumer;
import java.util.function.BiFunction;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;

/* loaded from: input_file:io/helidon/security/providers/oidc/TenantAuthenticationHandler.class */
class TenantAuthenticationHandler {
    private static final System.Logger LOGGER = System.getLogger(TenantAuthenticationHandler.class.getName());
    private static final TokenHandler PARAM_HEADER_HANDLER = TokenHandler.forHeader("X_OIDC_TOKEN_HEADER");
    private static final TokenHandler PARAM_ID_HEADER_HANDLER = TokenHandler.forHeader("X_OIDC_ID_TOKEN_HEADER");
    private static final LazyValue<SecureRandom> RANDOM = LazyValue.create(SecureRandom::new);
    private static final JwtValidator TIME_VALIDATORS = JwtValidator.builder().addDefaultTimeValidators().build();
    private final boolean optional;
    private final OidcConfig oidcConfig;
    private final TenantConfig tenantConfig;
    private final Tenant tenant;
    private final boolean useJwtGroups;
    private final BiFunction<SignedJwt, Errors.Collector, Errors.Collector> jwtValidator;
    private final BiConsumer<StringBuilder, String> scopeAppender;
    private final Pattern attemptPattern;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.helidon.security.providers.oidc.TenantAuthenticationHandler$1, reason: invalid class name */
    /* loaded from: input_file:io/helidon/security/providers/oidc/TenantAuthenticationHandler$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$helidon$common$Severity = new int[Severity.values().length];

        static {
            try {
                $SwitchMap$io$helidon$common$Severity[Severity.FATAL.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$helidon$common$Severity[Severity.WARN.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$helidon$common$Severity[Severity.HINT.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TenantAuthenticationHandler(OidcConfig oidcConfig, Tenant tenant, boolean z, boolean z2) {
        this.oidcConfig = oidcConfig;
        this.tenant = tenant;
        this.tenantConfig = tenant.tenantConfig();
        this.useJwtGroups = z;
        this.optional = z2;
        this.attemptPattern = Pattern.compile(".*?" + oidcConfig.redirectAttemptParam() + "=(\\d+).*");
        if (this.tenantConfig.validateJwtWithJwk()) {
            this.jwtValidator = (signedJwt, collector) -> {
                signedJwt.verifySignature(tenant.signJwk()).forEach(errorMessage -> {
                    switch (AnonymousClass1.$SwitchMap$io$helidon$common$Severity[errorMessage.getSeverity().ordinal()]) {
                        case 1:
                            collector.fatal(errorMessage.getSource(), errorMessage.getMessage());
                            return;
                        case 2:
                            collector.warn(errorMessage.getSource(), errorMessage.getMessage());
                            return;
                        case 3:
                        default:
                            collector.hint(errorMessage.getSource(), errorMessage.getMessage());
                            return;
                    }
                });
                return collector;
            };
        } else {
            this.jwtValidator = (signedJwt2, collector2) -> {
                Parameters.Builder add = Parameters.builder("oidc-form-params").add("token", new String[]{signedJwt2.tokenContent()});
                HttpClientRequest headers = tenant.appWebClient().post().uri(tenant.introspectUri()).header(HeaderValues.ACCEPT_JSON).headers(clientRequestHeaders -> {
                    clientRequestHeaders.add(HeaderNames.CACHE_CONTROL, new String[]{"no-cache, no-store, must-revalidate"});
                });
                OidcUtil.updateRequest(OidcConfig.RequestType.INTROSPECT_JWT, this.tenantConfig, add);
                try {
                    HttpClientResponse submit = headers.submit(add.build());
                    try {
                        if (submit.status().family() == Status.Family.SUCCESSFUL) {
                            try {
                                JsonObject jsonObject = (JsonObject) submit.as(JsonObject.class);
                                if (!jsonObject.getBoolean("active")) {
                                    collector2.fatal(jsonObject, "Token is not active");
                                }
                            } catch (Exception e) {
                                collector2.fatal(e, "Failed to validate token, request failed: Failed to read JSON from response");
                            }
                        } else {
                            try {
                                collector2.fatal(submit.status(), "Failed to validate token, response status: " + String.valueOf(submit.status()) + ", entity: " + ((String) submit.as(String.class)));
                            } catch (Exception e2) {
                                collector2.fatal(e2, "Failed to validate token, request failed: Failed to process error entity");
                            }
                        }
                        if (submit != null) {
                            submit.close();
                        }
                    } finally {
                    }
                } catch (Exception e3) {
                    collector2.fatal(e3, "Failed to validate token, request failed: Failed to invoke request");
                }
                return collector2;
            };
        }
        String scopeAudience = this.tenantConfig.scopeAudience();
        if (scopeAudience == null || scopeAudience.isEmpty()) {
            this.scopeAppender = (v0, v1) -> {
                v0.append(v1);
            };
        } else if (scopeAudience.endsWith("/")) {
            this.scopeAppender = (sb, str) -> {
                sb.append(scopeAudience).append(str);
            };
        } else {
            this.scopeAppender = (sb2, str2) -> {
                sb2.append(scopeAudience).append("/").append(str2);
            };
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthenticationResponse authenticate(String str, ProviderRequest providerRequest) {
        Optional empty = Optional.empty();
        try {
            if (this.oidcConfig.useParam()) {
                empty = empty.or(() -> {
                    return PARAM_ID_HEADER_HANDLER.extractToken(providerRequest.env().headers());
                });
                if (empty.isEmpty()) {
                    empty = empty.or(() -> {
                        return providerRequest.env().queryParams().first(this.oidcConfig.idTokenParamName()).asOptional();
                    });
                }
            }
            if (this.oidcConfig.useCookie() && empty.isEmpty()) {
                Optional findCookie = this.oidcConfig.idTokenCookieHandler().findCookie(providerRequest.env().headers());
                if (findCookie.isPresent()) {
                    try {
                        return validateIdToken(str, providerRequest, (String) findCookie.get());
                    } catch (Exception e) {
                        if (LOGGER.isLoggable(System.Logger.Level.DEBUG)) {
                            LOGGER.log(System.Logger.Level.DEBUG, "Invalid id token in cookie", e);
                        }
                        return errorResponse(providerRequest, Status.UNAUTHORIZED_401, null, "Invalid id token", str);
                    }
                }
            }
            return empty.isPresent() ? validateIdToken(str, providerRequest, (String) empty.get()) : processAccessToken(str, providerRequest, null);
        } catch (SecurityException e2) {
            LOGGER.log(System.Logger.Level.DEBUG, "Failed to extract token from one of the configured locations", e2);
            return failOrAbstain("Failed to extract one of the configured tokens" + String.valueOf(e2));
        }
    }

    private AuthenticationResponse processAccessToken(String str, ProviderRequest providerRequest, Jwt jwt) {
        LinkedList linkedList = new LinkedList();
        Optional empty = Optional.empty();
        try {
            if (this.oidcConfig.useHeader()) {
                empty = empty.or(() -> {
                    return this.oidcConfig.headerHandler().extractToken(providerRequest.env().headers());
                });
                if (empty.isEmpty()) {
                    linkedList.add("header");
                }
            }
            if (this.oidcConfig.useParam()) {
                empty = empty.or(() -> {
                    return PARAM_HEADER_HANDLER.extractToken(providerRequest.env().headers());
                });
                if (empty.isEmpty()) {
                    empty = empty.or(() -> {
                        return providerRequest.env().queryParams().first(this.oidcConfig.paramName()).asOptional();
                    });
                }
                if (empty.isEmpty()) {
                    linkedList.add("query-param");
                }
            }
            if (this.oidcConfig.useCookie() && empty.isEmpty()) {
                Optional findCookie = this.oidcConfig.tokenCookieHandler().findCookie(providerRequest.env().headers());
                if (!findCookie.isEmpty()) {
                    try {
                        JsonObject readObject = OidcFeature.JSON_READER_FACTORY.createReader(new StringReader(new String(Base64.getDecoder().decode((String) findCookie.get()), StandardCharsets.UTF_8))).readObject();
                        if (this.oidcConfig.accessTokenIpCheck()) {
                            if (!readObject.getString("remotePeer").equals(providerRequest.env().abacAttribute("userIp").orElseThrow())) {
                                if (LOGGER.isLoggable(System.Logger.Level.DEBUG)) {
                                    LOGGER.log(System.Logger.Level.DEBUG, "Current peer IP does not match the one this access token was issued for");
                                }
                                return errorResponse(providerRequest, Status.UNAUTHORIZED_401, "peer_host_mismatch", "Peer host access token mismatch", str);
                            }
                        }
                        return validateAccessToken(str, providerRequest, readObject.getString("accessToken"), jwt);
                    } catch (Exception e) {
                        if (LOGGER.isLoggable(System.Logger.Level.DEBUG)) {
                            LOGGER.log(System.Logger.Level.DEBUG, "Invalid access token in cookie", e);
                        }
                        return errorResponse(providerRequest, Status.UNAUTHORIZED_401, null, "Invalid access token", str);
                    }
                }
                linkedList.add("cookie");
            }
            if (empty.isPresent()) {
                return validateAccessToken(str, providerRequest, (String) empty.get(), jwt);
            }
            LOGGER.log(System.Logger.Level.DEBUG, () -> {
                return "Missing access token, could not find in either of: " + String.valueOf(linkedList);
            });
            return errorResponse(providerRequest, Status.UNAUTHORIZED_401, null, "Missing access token, could not find in either of: " + String.valueOf(linkedList), str);
        } catch (SecurityException e2) {
            LOGGER.log(System.Logger.Level.DEBUG, "Failed to extract access token from one of the configured locations", e2);
            return failOrAbstain("Failed to extract one of the configured tokens" + String.valueOf(e2));
        }
    }

    private Set<String> expectedScopes(ProviderRequest providerRequest) {
        HashSet hashSet = new HashSet();
        for (SecurityLevel securityLevel : providerRequest.endpointConfig().securityLevels()) {
            securityLevel.combineAnnotations(ScopeValidator.Scopes.class, EndpointConfig.AnnotationScope.values()).stream().map((v0) -> {
                return v0.value();
            }).map((v0) -> {
                return Arrays.asList(v0);
            }).map((v0) -> {
                return v0.stream();
            }).forEach(stream -> {
                Stream map = stream.map((v0) -> {
                    return v0.value();
                });
                Objects.requireNonNull(hashSet);
                map.forEach((v1) -> {
                    r1.add(v1);
                });
            });
            Stream map = securityLevel.combineAnnotations(ScopeValidator.Scope.class, EndpointConfig.AnnotationScope.values()).stream().map((v0) -> {
                return v0.value();
            });
            Objects.requireNonNull(hashSet);
            map.forEach((v1) -> {
                r1.add(v1);
            });
        }
        return hashSet;
    }

    private AuthenticationResponse errorResponse(ProviderRequest providerRequest, Status status, String str, String str2, String str3) {
        if (!this.oidcConfig.shouldRedirect()) {
            return errorResponseNoRedirect(str, str2, status);
        }
        String origUri = origUri(providerRequest);
        if (redirectAttempt(origUri) >= this.oidcConfig.maxRedirects()) {
            return errorResponseNoRedirect(str, str2, status);
        }
        String generateRandomString = generateRandomString();
        Set<String> expectedScopes = expectedScopes(providerRequest);
        StringBuilder sb = new StringBuilder(this.tenantConfig.baseScopes());
        for (String str4 : expectedScopes) {
            if (!sb.isEmpty()) {
                sb.append(' ');
            }
            String str5 = str4;
            if (str5.startsWith("/")) {
                str5 = str5.substring(1);
            }
            this.scopeAppender.accept(sb, str5);
        }
        String encode = URLEncoder.encode(sb.toString(), StandardCharsets.UTF_8);
        String authorizationEndpointUri = this.tenant.authorizationEndpointUri();
        String uuid = UUID.randomUUID().toString();
        return AuthenticationResponse.builder().status(SecurityResponse.SecurityStatus.FAILURE_FINISH).statusCode(Status.TEMPORARY_REDIRECT_307.code()).responseHeader(HeaderNames.SET_COOKIE.defaultCase(), this.oidcConfig.stateCookieHandler().createCookie(Base64.getEncoder().encodeToString(OidcFeature.JSON_BUILDER_FACTORY.createObjectBuilder().add("originalUri", origUri).add("state", generateRandomString).add("nonce", uuid).build().toString().getBytes(StandardCharsets.UTF_8))).build().toString()).description("Redirecting to identity server: " + str2).responseHeader("Location", authorizationEndpointUri + ("?client_id=" + this.tenantConfig.clientId() + "&response_type=code&redirect_uri=" + ("@default".equals(str3) ? encode(redirectUri(providerRequest.env())) : encode(redirectUri(providerRequest.env()) + "?" + encode(this.oidcConfig.tenantParamName()) + "=" + encode(str3))) + "&scope=" + encode + "&nonce=" + uuid + "&state=" + generateRandomString)).build();
    }

    private String redirectUri(SecurityEnvironment securityEnvironment) {
        for (Map.Entry entry : securityEnvironment.headers().entrySet()) {
            if (((String) entry.getKey()).equalsIgnoreCase("host") && !((List) entry.getValue()).isEmpty()) {
                return this.oidcConfig.redirectUriWithHost((this.oidcConfig.forceHttpsRedirects() ? "https" : securityEnvironment.transport()) + "://" + ((String) ((List) entry.getValue()).getFirst()));
            }
        }
        return this.oidcConfig.redirectUriWithHost();
    }

    private AuthenticationResponse failOrAbstain(String str) {
        return this.optional ? AuthenticationResponse.builder().status(SecurityResponse.SecurityStatus.ABSTAIN).description(str).build() : AuthenticationResponse.builder().status(SecurityResponse.SecurityStatus.FAILURE).description(str).build();
    }

    private AuthenticationResponse errorResponseNoRedirect(String str, String str2, Status status) {
        return this.optional ? AuthenticationResponse.builder().status(SecurityResponse.SecurityStatus.ABSTAIN).description(str2).build() : null == str ? AuthenticationResponse.builder().status(SecurityResponse.SecurityStatus.FAILURE).statusCode(Status.UNAUTHORIZED_401.code()).responseHeader(HeaderNames.WWW_AUTHENTICATE.defaultCase(), "Bearer realm=\"" + this.tenantConfig.realm() + "\"").description(str2).build() : AuthenticationResponse.builder().status(SecurityResponse.SecurityStatus.FAILURE).statusCode(status.code()).responseHeader(HeaderNames.WWW_AUTHENTICATE.defaultCase(), errorHeader(str, str2)).description(str2).build();
    }

    private int redirectAttempt(String str) {
        if (!str.contains("?")) {
            return 1;
        }
        Matcher matcher = this.attemptPattern.matcher(str);
        if (matcher.matches()) {
            return Integer.parseInt(matcher.group(1));
        }
        return 1;
    }

    private String errorHeader(String str, String str2) {
        return "Bearer realm=\"" + this.tenantConfig.realm() + "\", error=\"" + str + "\", error_description=\"" + str2 + "\"";
    }

    String origUri(ProviderRequest providerRequest) {
        List list = (List) providerRequest.env().headers().getOrDefault("X_ORIG_URI_HEADER", List.of());
        if (!list.isEmpty()) {
            return (String) list.getFirst();
        }
        URI targetUri = providerRequest.env().targetUri();
        String query = targetUri.getQuery();
        String path = targetUri.getPath();
        return (query == null || query.isEmpty()) ? path : path + "?" + query;
    }

    private String encode(String str) {
        return URLEncoder.encode(str, StandardCharsets.UTF_8);
    }

    private AuthenticationResponse validateIdToken(String str, ProviderRequest providerRequest, String str2) {
        try {
            SignedJwt parseToken = SignedJwt.parseToken(str2);
            try {
                Errors collect = this.oidcConfig.idTokenSignatureValidation() ? this.jwtValidator.apply(parseToken, Errors.collector()).collect() : Errors.collector().collect();
                Jwt jwt = parseToken.getJwt();
                JwtValidator.Builder addAudienceValidator = JwtValidator.builder().addDefaultTimeValidators().addCriticalValidator().addUserPrincipalValidator().addAudienceValidator(this.tenantConfig.clientId());
                if (this.tenant.issuer() != null) {
                    addAudienceValidator.addIssuerValidator(this.tenant.issuer());
                }
                Errors validate = addAudienceValidator.build().validate(jwt);
                if (collect.isValid() && validate.isValid()) {
                    return processAccessToken(str, providerRequest, jwt);
                }
                if (LOGGER.isLoggable(System.Logger.Level.DEBUG)) {
                    collect.log(LOGGER);
                    validate.log(LOGGER);
                }
                return errorResponse(providerRequest, Status.UNAUTHORIZED_401, "invalid_id_token", "Id token not valid", str);
            } catch (Exception e) {
                if (LOGGER.isLoggable(System.Logger.Level.DEBUG)) {
                    LOGGER.log(System.Logger.Level.DEBUG, "Failed to validate request", e);
                }
                return AuthenticationResponse.failed("Failed to validate JWT", e);
            }
        } catch (Exception e2) {
            if (LOGGER.isLoggable(System.Logger.Level.DEBUG)) {
                LOGGER.log(System.Logger.Level.DEBUG, "Could not parse inbound id token", e2);
            }
            return AuthenticationResponse.failed("Invalid id token", e2);
        }
    }

    private AuthenticationResponse validateAccessToken(String str, ProviderRequest providerRequest, String str2, Jwt jwt) {
        try {
            SignedJwt parseToken = SignedJwt.parseToken(str2);
            try {
                Errors.Collector apply = this.oidcConfig.tokenSignatureValidation() ? this.jwtValidator.apply(parseToken, Errors.collector()) : Errors.collector();
                if (TIME_VALIDATORS.validate(parseToken.getJwt()).isValid()) {
                    return processValidationResult(providerRequest, parseToken, jwt, str, apply);
                }
                Errors.Collector collector = apply;
                return (AuthenticationResponse) this.oidcConfig.refreshTokenCookieHandler().findCookie(providerRequest.env().headers()).map(str3 -> {
                    return refreshAccessToken(providerRequest, str3, jwt, str);
                }).orElseGet(() -> {
                    return processValidationResult(providerRequest, parseToken, jwt, str, collector);
                });
            } catch (Exception e) {
                if (LOGGER.isLoggable(System.Logger.Level.DEBUG)) {
                    LOGGER.log(System.Logger.Level.DEBUG, "Failed to validate request", e);
                }
                return AuthenticationResponse.failed("Failed to validate JWT", e);
            }
        } catch (Exception e2) {
            if (LOGGER.isLoggable(System.Logger.Level.DEBUG)) {
                LOGGER.log(System.Logger.Level.DEBUG, "Could not parse inbound token", e2);
            }
            return AuthenticationResponse.failed("Invalid token", e2);
        }
    }

    private AuthenticationResponse refreshAccessToken(ProviderRequest providerRequest, String str, Jwt jwt, String str2) {
        try {
            try {
                HttpClientResponse submit = this.tenant.appWebClient().post().uri(this.tenant.tokenEndpointUri()).header(HeaderValues.ACCEPT_JSON).submit(Parameters.builder("oidc-form-params").add("grant_type", new String[]{"refresh_token"}).add("refresh_token", new String[]{str}).add("client_id", new String[]{this.tenantConfig.clientId()}).build());
                try {
                    if (submit.status().family() != Status.Family.SUCCESSFUL) {
                        try {
                            AuthenticationResponse errorResponse = errorResponse(providerRequest, Status.UNAUTHORIZED_401, "access_token_refresh_failed", "Failed to refresh access token. Response status was: " + String.valueOf(submit.status()) + " with message: " + ((String) submit.as(String.class)), str2);
                            if (submit != null) {
                                submit.close();
                            }
                            return errorResponse;
                        } catch (Exception e) {
                            AuthenticationResponse failed = AuthenticationResponse.failed("Failed to refresh access token, request failed: Failed to process error entity", e);
                            if (submit != null) {
                                submit.close();
                            }
                            return failed;
                        }
                    }
                    try {
                        JsonObject jsonObject = (JsonObject) submit.as(JsonObject.class);
                        String string = jsonObject.getString("access_token");
                        String string2 = jsonObject.getString("refresh_token", (String) null);
                        try {
                            SignedJwt parseToken = SignedJwt.parseToken(string);
                            Errors.Collector apply = this.jwtValidator.apply(parseToken, Errors.collector());
                            String encodeToString = Base64.getEncoder().encodeToString(OidcFeature.JSON_BUILDER_FACTORY.createObjectBuilder().add("accessToken", parseToken.tokenContent()).add("remotePeer", providerRequest.env().abacAttribute("userIp").orElseThrow().toString()).build().toString().getBytes(StandardCharsets.UTF_8));
                            ArrayList arrayList = new ArrayList();
                            arrayList.add(this.oidcConfig.tokenCookieHandler().createCookie(encodeToString).build().toString());
                            if (string2 != null) {
                                arrayList.add(this.oidcConfig.refreshTokenCookieHandler().createCookie(string2).build().toString());
                            }
                            AuthenticationResponse processValidationResult = processValidationResult(providerRequest, parseToken, jwt, str2, apply, arrayList);
                            if (submit != null) {
                                submit.close();
                            }
                            return processValidationResult;
                        } catch (Exception e2) {
                            if (LOGGER.isLoggable(System.Logger.Level.DEBUG)) {
                                LOGGER.log(System.Logger.Level.DEBUG, "Could not parse refreshed access token", e2);
                            }
                            AuthenticationResponse failed2 = AuthenticationResponse.failed("Invalid access token", e2);
                            if (submit != null) {
                                submit.close();
                            }
                            return failed2;
                        }
                    } catch (Exception e3) {
                        AuthenticationResponse errorResponse2 = errorResponse(providerRequest, Status.UNAUTHORIZED_401, "refresh_access_token_failure", "Failed to refresh access token", str2);
                        if (submit != null) {
                            submit.close();
                        }
                        return errorResponse2;
                    }
                } catch (Throwable th) {
                    if (submit != null) {
                        try {
                            submit.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e4) {
                return AuthenticationResponse.failed("Failed to refresh access token, request failed: Failed to invoke request", e4);
            }
        } catch (Exception e5) {
            if (LOGGER.isLoggable(System.Logger.Level.DEBUG)) {
                LOGGER.log(System.Logger.Level.DEBUG, "Failed to validate refresh token", e5);
            }
            return AuthenticationResponse.failed("Failed to validate refresh token", e5);
        }
    }

    private AuthenticationResponse processValidationResult(ProviderRequest providerRequest, SignedJwt signedJwt, Jwt jwt, String str, Errors.Collector collector) {
        return processValidationResult(providerRequest, signedJwt, jwt, str, collector, List.of());
    }

    private AuthenticationResponse processValidationResult(ProviderRequest providerRequest, SignedJwt signedJwt, Jwt jwt, String str, Errors.Collector collector, List<String> list) {
        Jwt jwt2 = signedJwt.getJwt();
        Errors collect = collector.collect();
        JwtValidator.Builder addUserPrincipalValidator = JwtValidator.builder().addDefaultTimeValidators().addCriticalValidator().addUserPrincipalValidator();
        if (this.tenant.issuer() != null) {
            addUserPrincipalValidator.addIssuerValidator(this.tenant.issuer());
        }
        if (this.tenantConfig.checkAudience()) {
            addUserPrincipalValidator.addAudienceValidator(this.tenantConfig.audience());
        }
        Errors validate = addUserPrincipalValidator.build().validate(jwt2);
        if (!collect.isValid() || !validate.isValid()) {
            if (LOGGER.isLoggable(System.Logger.Level.DEBUG)) {
                collect.log(LOGGER);
                validate.log(LOGGER);
            }
            return errorResponse(providerRequest, Status.UNAUTHORIZED_401, "invalid_token", "Token not valid", str);
        }
        collect.log(LOGGER);
        Subject buildSubject = buildSubject(jwt2, signedJwt, jwt);
        Set set = (Set) buildSubject.grantsByType("scope").stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet());
        Set<String> expectedScopes = expectedScopes(providerRequest);
        LinkedList linkedList = new LinkedList();
        for (String str2 : expectedScopes) {
            if (!set.contains(str2)) {
                linkedList.add(str2);
            }
        }
        if (!linkedList.isEmpty()) {
            return errorResponse(providerRequest, Status.FORBIDDEN_403, "insufficient_scope", "Scopes " + String.valueOf(linkedList) + " are missing", str);
        }
        AuthenticationResponse.Builder user = AuthenticationResponse.builder().status(SecurityResponse.SecurityStatus.SUCCESS).user(buildSubject);
        return list.isEmpty() ? user.build() : user.responseHeader(HeaderNames.SET_COOKIE.defaultCase(), list).build();
    }

    private Subject buildSubject(Jwt jwt, SignedJwt signedJwt, Jwt jwt2) {
        Principal buildPrincipal = buildPrincipal(jwt, jwt2);
        TokenCredential.Builder builder = TokenCredential.builder();
        Optional issueTime = jwt.issueTime();
        Objects.requireNonNull(builder);
        issueTime.ifPresent(builder::issueTime);
        Optional expirationTime = jwt.expirationTime();
        Objects.requireNonNull(builder);
        expirationTime.ifPresent(builder::expTime);
        Optional issuer = jwt.issuer();
        Objects.requireNonNull(builder);
        issuer.ifPresent(builder::issuer);
        builder.token(signedJwt.tokenContent());
        builder.addToken(Jwt.class, jwt);
        builder.addToken(SignedJwt.class, signedJwt);
        Subject.Builder addPublicCredential = Subject.builder().principal(buildPrincipal).addPublicCredential(TokenCredential.class, builder.build());
        if (this.useJwtGroups) {
            jwt.userGroups().ifPresent(list -> {
                list.forEach(str -> {
                    addPublicCredential.addGrant(Role.create(str));
                });
            });
        }
        jwt.scopes().ifPresent(list2 -> {
            list2.forEach(str -> {
                addPublicCredential.addGrant(Grant.builder().name(str).type("scope").build());
            });
        });
        return addPublicCredential.build();
    }

    private Principal buildPrincipal(Jwt jwt, Jwt jwt2) {
        Jwt jwt3 = jwt2;
        if (jwt2 == null) {
            jwt3 = jwt;
        }
        String str = (String) jwt3.subject().orElseThrow(() -> {
            return new JwtException("JWT does not contain subject claim, cannot create principal.");
        });
        String str2 = (String) jwt3.preferredUsername().orElse(str);
        Principal.Builder builder = Principal.builder();
        builder.name(str2).id(str);
        jwt3.payloadClaims().forEach((str3, jsonValue) -> {
            builder.addAttribute(str3, JwtUtil.toObject(jsonValue));
        });
        jwt3.email().ifPresent(str4 -> {
            builder.addAttribute("email", str4);
        });
        jwt3.emailVerified().ifPresent(bool -> {
            builder.addAttribute("email_verified", bool);
        });
        jwt3.locale().ifPresent(locale -> {
            builder.addAttribute("locale", locale);
        });
        jwt3.familyName().ifPresent(str5 -> {
            builder.addAttribute("family_name", str5);
        });
        jwt3.givenName().ifPresent(str6 -> {
            builder.addAttribute("given_name", str6);
        });
        jwt3.fullName().ifPresent(str7 -> {
            builder.addAttribute("full_name", str7);
        });
        return builder.build();
    }

    private static String generateRandomString() {
        return ((StringBuilder) ((SecureRandom) RANDOM.get()).ints(48, 122 + 1).filter(i -> {
            return (i <= 57 || i >= 65) && (i <= 90 || i >= 97);
        }).limit(10).collect(StringBuilder::new, (v0, v1) -> {
            v0.appendCodePoint(v1);
        }, (v0, v1) -> {
            v0.append(v1);
        })).toString();
    }
}
