package org.keycloak.protocol.oidc;

import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriInfo;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Collectors;
import org.jboss.logging.Logger;
import org.keycloak.TokenVerifier;
import org.keycloak.authentication.authenticators.util.AuthenticatorUtils;
import org.keycloak.authorization.authorization.AuthorizationTokenService;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.broker.oidc.OIDCIdentityProvider;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.ExchangeExternalToken;
import org.keycloak.broker.provider.ExchangeTokenToIdentityProviderToken;
import org.keycloak.broker.provider.IdentityProviderMapper;
import org.keycloak.broker.provider.IdentityProviderMapperSyncModeDelegate;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.Profile;
import org.keycloak.common.util.Base64Url;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.ImpersonationSessionNote;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.light.LightweightUserAdapter;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.endpoints.TokenEndpoint;
import org.keycloak.protocol.saml.SamlClient;
import org.keycloak.protocol.saml.SamlService;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.saml.common.constants.GeneralConstants;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.Urls;
import org.keycloak.services.cors.Cors;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.managers.BruteForceProtector;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.services.resources.IdentityBrokerService;
import org.keycloak.services.resources.admin.AdminAuth;
import org.keycloak.services.resources.admin.permissions.AdminPermissionManagement;
import org.keycloak.services.resources.admin.permissions.AdminPermissions;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.services.validation.Validation;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.class */
public class DefaultTokenExchangeProvider implements TokenExchangeProvider {
    private static final Logger logger = Logger.getLogger(DefaultTokenExchangeProvider.class);
    private MultivaluedMap<String, String> formParams;
    private KeycloakSession session;
    private Cors cors;
    private RealmModel realm;
    private ClientModel client;
    private EventBuilder event;
    private ClientConnection clientConnection;
    private HttpHeaders headers;
    private TokenManager tokenManager;
    private Map<String, String> clientAuthAttributes;

    public boolean supports(TokenExchangeContext tokenExchangeContext) {
        return true;
    }

    public Response exchange(TokenExchangeContext tokenExchangeContext) {
        this.formParams = tokenExchangeContext.getFormParams();
        this.session = tokenExchangeContext.getSession();
        this.cors = tokenExchangeContext.getCors();
        this.realm = tokenExchangeContext.getRealm();
        this.client = tokenExchangeContext.getClient();
        this.event = tokenExchangeContext.getEvent();
        this.clientConnection = tokenExchangeContext.getClientConnection();
        this.headers = tokenExchangeContext.getHeaders();
        this.tokenManager = (TokenManager) tokenExchangeContext.getTokenManager();
        this.clientAuthAttributes = tokenExchangeContext.getClientAuthAttributes();
        return tokenExchange();
    }

    public void close() {
    }

    protected Response tokenExchange() {
        UserModel userModel = null;
        UserSessionModel userSessionModel = null;
        AccessToken accessToken = null;
        String str = (String) this.formParams.getFirst("subject_token");
        if (str != null) {
            String str2 = (String) this.formParams.getFirst("subject_token_type");
            String realmIssuer = Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName());
            String str3 = (String) this.formParams.getFirst("subject_issuer");
            if (str3 == null && AuthorizationTokenService.CLAIM_TOKEN_FORMAT_JWT.equals(str2)) {
                try {
                    str3 = ((JsonWebToken) new JWSInput(str).readJsonContent(JsonWebToken.class)).getIssuer();
                } catch (JWSInputException e) {
                    this.event.detail("reason", "unable to parse jwt subject_token");
                    this.event.error("invalid_token");
                    throw new CorsErrorResponseException(this.cors, "invalid_token", "Invalid token type, must be access token", Response.Status.BAD_REQUEST);
                }
            }
            if (str3 != null && !realmIssuer.equals(str3)) {
                this.event.detail("subject_issuer", str3);
                return exchangeExternalToken(str3, str);
            }
            if (str2 != null && !str2.equals("urn:ietf:params:oauth:token-type:access_token")) {
                this.event.detail("reason", "subject_token supports access tokens only");
                this.event.error("invalid_token");
                throw new CorsErrorResponseException(this.cors, "invalid_token", "Invalid token type, must be access token", Response.Status.BAD_REQUEST);
            }
            AuthenticationManager.AuthResult verifyIdentityToken = AuthenticationManager.verifyIdentityToken(this.session, this.realm, this.session.getContext().getUri(), this.clientConnection, true, true, null, false, str, this.headers, new TokenVerifier.Predicate[0]);
            if (verifyIdentityToken == null) {
                this.event.detail("reason", "subject_token validation failure");
                this.event.error("invalid_token");
                throw new CorsErrorResponseException(this.cors, "invalid_token", "Invalid token", Response.Status.BAD_REQUEST);
            }
            userModel = verifyIdentityToken.getUser();
            userSessionModel = verifyIdentityToken.getSession();
            accessToken = verifyIdentityToken.getToken();
        }
        String str4 = (String) this.formParams.getFirst("requested_subject");
        boolean z = true;
        if (str4 != null) {
            this.event.detail("requested_subject", str4);
            UserModel userByUsername = this.session.users().getUserByUsername(this.realm, str4);
            if (userByUsername == null) {
                userByUsername = this.session.users().getUserById(this.realm, str4);
            }
            if (userByUsername == null) {
                this.event.detail("reason", "requested_subject not found");
                this.event.error("not_allowed");
                throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
            }
            if (accessToken != null) {
                this.event.detail("impersonator", userModel.getUsername());
                if (!AdminPermissions.evaluator(this.session, this.realm, new AdminAuth(this.realm, accessToken, userModel, this.client)).users().canImpersonate(userByUsername, this.client)) {
                    this.event.detail("reason", "subject not allowed to impersonate");
                    this.event.error("not_allowed");
                    throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
                }
            } else {
                if (this.client.isPublicClient()) {
                    this.event.detail("reason", "public clients not allowed");
                    this.event.error("not_allowed");
                    throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
                }
                if (!AdminPermissions.management(this.session, this.realm).users().canClientImpersonate(this.client, userByUsername)) {
                    this.event.detail("reason", "client not allowed to impersonate");
                    this.event.error("not_allowed");
                    throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
                }
                z = false;
            }
            userSessionModel = new UserSessionManager(this.session).createUserSession(this.realm, userByUsername, userByUsername.getUsername(), this.clientConnection.getRemoteAddr(), "impersonate", false, null, null);
            if (userModel != null) {
                userSessionModel.setNote(ImpersonationSessionNote.IMPERSONATOR_ID.toString(), userModel.getId());
                userSessionModel.setNote(ImpersonationSessionNote.IMPERSONATOR_USERNAME.toString(), userModel.getUsername());
            }
            userModel = userByUsername;
        }
        String str5 = (String) this.formParams.getFirst("requested_issuer");
        if (str5 == null) {
            return exchangeClientToClient(userModel, userSessionModel, accessToken, z);
        }
        try {
            Response exchangeToIdentityProvider = exchangeToIdentityProvider(userModel, userSessionModel, str5);
            if (str == null) {
                try {
                    this.session.sessions().removeUserSession(this.realm, userSessionModel);
                } catch (Exception e2) {
                }
            }
            return exchangeToIdentityProvider;
        } catch (Throwable th) {
            if (str == null) {
                try {
                    this.session.sessions().removeUserSession(this.realm, userSessionModel);
                } catch (Exception e3) {
                }
            }
            throw th;
        }
    }

    protected Response exchangeToIdentityProvider(UserModel userModel, UserSessionModel userSessionModel, String str) {
        this.event.detail("requested_issuer", str);
        IdentityProviderModel identityProviderByAlias = this.realm.getIdentityProviderByAlias(str);
        if (identityProviderByAlias == null) {
            this.event.detail("reason", "unknown requested_issuer");
            this.event.error("unknown_identity_provider");
            throw new CorsErrorResponseException(this.cors, "invalid_request", "Invalid issuer", Response.Status.BAD_REQUEST);
        }
        ExchangeTokenToIdentityProviderToken identityProvider = IdentityBrokerService.getIdentityProvider(this.session, this.realm, str);
        if (!(identityProvider instanceof ExchangeTokenToIdentityProviderToken)) {
            this.event.detail("reason", "exchange unsupported by requested_issuer");
            this.event.error("unknown_identity_provider");
            throw new CorsErrorResponseException(this.cors, "invalid_request", "Issuer does not support token exchange", Response.Status.BAD_REQUEST);
        }
        if (AdminPermissions.management(this.session, this.realm).idps().canExchangeTo(this.client, identityProviderByAlias)) {
            return this.cors.builder(Response.fromResponse(identityProvider.exchangeFromToken(this.session.getContext().getUri(), this.event, this.client, userSessionModel, userModel, this.formParams))).build();
        }
        this.event.detail("reason", "client not allowed to exchange for requested_issuer");
        this.event.error("not_allowed");
        throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
    }

    protected Response exchangeClientToClient(UserModel userModel, UserSessionModel userSessionModel, AccessToken accessToken, boolean z) {
        String str;
        String str2 = (String) this.formParams.getFirst("requested_token_type");
        if (str2 == null) {
            str2 = "urn:ietf:params:oauth:token-type:refresh_token";
        } else if (!str2.equals("urn:ietf:params:oauth:token-type:access_token") && !str2.equals("urn:ietf:params:oauth:token-type:refresh_token") && !str2.equals("urn:ietf:params:oauth:token-type:saml2")) {
            this.event.detail("reason", "requested_token_type unsupported");
            this.event.error("invalid_request");
            throw new CorsErrorResponseException(this.cors, "invalid_request", "requested_token_type unsupported", Response.Status.BAD_REQUEST);
        }
        String str3 = (String) this.formParams.getFirst("audience");
        ClientModel clientByClientId = accessToken == null ? null : this.realm.getClientByClientId(accessToken.getIssuedFor());
        ClientModel clientModel = this.client;
        if (str3 != null) {
            clientModel = this.realm.getClientByClientId(str3);
            if (clientModel == null) {
                this.event.detail("reason", "audience not found");
                this.event.error("client_not_found");
                throw new CorsErrorResponseException(this.cors, "invalid_client", "Audience not found", Response.Status.BAD_REQUEST);
            }
        }
        if (clientModel.isConsentRequired()) {
            this.event.detail("reason", "audience requires consent");
            this.event.error("consent_denied");
            throw new CorsErrorResponseException(this.cors, "invalid_client", "Client requires user consent", Response.Status.BAD_REQUEST);
        }
        if (!this.client.equals(clientModel)) {
            if (this.client.isPublicClient()) {
                forbiddenIfClientIsNotTokenHolder(z, clientByClientId);
            }
            if (!AdminPermissions.management(this.session, this.realm).clients().canExchangeTo(this.client, clientModel)) {
                this.event.detail("reason", "client not allowed to exchange to audience");
                this.event.error("not_allowed");
                throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
            }
        } else if (this.client.isPublicClient()) {
            forbiddenIfClientIsNotTokenHolder(z, clientByClientId);
        } else if (!this.client.equals(clientByClientId)) {
            forbiddenIfClientIsNotWithinTokenAudience(accessToken, clientByClientId);
        }
        String str4 = (String) this.formParams.getFirst("scope");
        if (accessToken != null && accessToken.getScope() != null && str4 == null) {
            String scope = accessToken.getScope();
            HashSet hashSet = new HashSet();
            hashSet.addAll(clientModel.getClientScopes(true).keySet());
            hashSet.addAll(clientModel.getClientScopes(false).keySet());
            str4 = (String) Arrays.stream(scope.split(" ")).filter(str5 -> {
                if (!OIDCIdentityProvider.SCOPE_OPENID.equals(str5)) {
                    if (!hashSet.contains(Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES) ? str5.split(":")[0] : str5)) {
                        return false;
                    }
                }
                return true;
            }).collect(Collectors.joining(" "));
        } else if (accessToken != null && accessToken.getScope() != null) {
            String scope2 = accessToken.getScope();
            if (Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES)) {
                Set set = (Set) Arrays.stream(scope2.split(" ")).map(str6 -> {
                    return str6.split(":")[0];
                }).collect(Collectors.toSet());
                str = (String) Arrays.stream(str4.split(" ")).filter(str7 -> {
                    return set.contains(str7.split(":")[0]);
                }).collect(Collectors.joining(" "));
            } else {
                Set set2 = (Set) Arrays.stream(scope2.split(" ")).collect(Collectors.toSet());
                str = (String) Arrays.stream(str4.split(" ")).filter(str8 -> {
                    return set2.contains(str8);
                }).collect(Collectors.joining(" "));
            }
            HashSet hashSet2 = new HashSet();
            hashSet2.addAll(clientModel.getClientScopes(true).keySet());
            hashSet2.addAll(clientModel.getClientScopes(false).keySet());
            str4 = (String) Arrays.stream(str.split(" ")).filter(str9 -> {
                if (!OIDCIdentityProvider.SCOPE_OPENID.equals(str9)) {
                    if (!hashSet2.contains(Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES) ? str9.split(":")[0] : str9)) {
                        return false;
                    }
                }
                return true;
            }).collect(Collectors.joining(" "));
        }
        try {
            this.session.getContext().setClient(clientModel);
            String str10 = str2;
            boolean z2 = -1;
            switch (str10.hashCode()) {
                case -1552563363:
                    if (str10.equals("urn:ietf:params:oauth:token-type:refresh_token")) {
                        z2 = true;
                        break;
                    }
                    break;
                case -141706602:
                    if (str10.equals("urn:ietf:params:oauth:token-type:access_token")) {
                        z2 = false;
                        break;
                    }
                    break;
                case 808941869:
                    if (str10.equals("urn:ietf:params:oauth:token-type:saml2")) {
                        z2 = 2;
                        break;
                    }
                    break;
            }
            switch (z2) {
                case false:
                case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                    Response exchangeClientToOIDCClient = exchangeClientToOIDCClient(userModel, userSessionModel, str2, clientModel, str3, str4);
                    this.session.getContext().setClient(this.client);
                    return exchangeClientToOIDCClient;
                case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
                    Response exchangeClientToSAML2Client = exchangeClientToSAML2Client(userModel, userSessionModel, str2, clientModel);
                    this.session.getContext().setClient(this.client);
                    return exchangeClientToSAML2Client;
                default:
                    this.session.getContext().setClient(this.client);
                    throw new CorsErrorResponseException(this.cors, "invalid_request", "requested_token_type unsupported", Response.Status.BAD_REQUEST);
            }
        } catch (Throwable th) {
            this.session.getContext().setClient(this.client);
            throw th;
        }
    }

    private void forbiddenIfClientIsNotWithinTokenAudience(AccessToken accessToken, ClientModel clientModel) {
        if (accessToken == null || accessToken.hasAudience(this.client.getClientId())) {
            return;
        }
        this.event.detail("reason", "client is not within the token audience");
        this.event.error("not_allowed");
        throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client is not within the token audience", Response.Status.FORBIDDEN);
    }

    private void forbiddenIfClientIsNotTokenHolder(boolean z, ClientModel clientModel) {
        if (!z || this.client.equals(clientModel)) {
            return;
        }
        this.event.detail("reason", "client is not the token holder");
        this.event.error("not_allowed");
        throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client is not the holder of the token", Response.Status.FORBIDDEN);
    }

    protected Response exchangeClientToOIDCClient(UserModel userModel, UserSessionModel userSessionModel, String str, ClientModel clientModel, String str2, String str3) {
        AuthenticationSessionModel createAuthenticationSession = new AuthenticationSessionManager(this.session).createAuthenticationSession(this.realm, false).createAuthenticationSession(clientModel);
        createAuthenticationSession.setAuthenticatedUser(userModel);
        createAuthenticationSession.setProtocol("openid-connect");
        createAuthenticationSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName()));
        createAuthenticationSession.setClientNote("scope", str3);
        if (userSessionModel == null) {
            userSessionModel = new UserSessionManager(this.session).createUserSession(createAuthenticationSession.getParentSession().getId(), this.realm, userModel, userModel.getUsername(), this.clientConnection.getRemoteAddr(), "client_auth", false, null, null, UserSessionModel.SessionPersistenceState.PERSISTENT);
        }
        this.event.session(userSessionModel);
        AuthenticationManager.setClientScopesInSession(createAuthenticationSession);
        ClientSessionContext attachAuthenticationSession = TokenManager.attachAuthenticationSession(this.session, userSessionModel, createAuthenticationSession);
        updateUserSessionFromClientAuth(userSessionModel);
        TokenManager.AccessTokenResponseBuilder generateAccessToken = this.tokenManager.responseBuilder(this.realm, clientModel, this.event, this.session, userSessionModel, attachAuthenticationSession).generateAccessToken();
        generateAccessToken.getAccessToken().issuedFor(this.client.getClientId());
        if (str2 != null) {
            generateAccessToken.getAccessToken().addAudience(str2);
        }
        if (this.formParams.containsKey("requested_subject")) {
            userSessionModel.setNote(ImpersonationSessionNote.IMPERSONATOR_CLIENT.toString(), this.client.getId());
        }
        if (str.equals("urn:ietf:params:oauth:token-type:refresh_token") && OIDCAdvancedConfigWrapper.fromClientModel(this.client).isUseRefreshToken()) {
            generateAccessToken.generateRefreshToken();
            generateAccessToken.getRefreshToken().issuedFor(this.client.getClientId());
        }
        if (TokenUtil.isOIDCRequest(attachAuthenticationSession.getClientSession().getNote("scope"))) {
            generateAccessToken.generateIDToken().generateAccessTokenHash();
        }
        AccessTokenResponse build = generateAccessToken.build();
        this.event.detail("audience", clientModel.getClientId()).user(userModel);
        this.event.success();
        return this.cors.builder(Response.ok(build, MediaType.APPLICATION_JSON_TYPE)).build();
    }

    protected Response exchangeClientToSAML2Client(UserModel userModel, UserSessionModel userSessionModel, String str, ClientModel clientModel) {
        AuthenticationSessionModel orCreateLoginSessionForIdpInitiatedSso = ((SamlService) this.session.getKeycloakSessionFactory().getProviderFactory(LoginProtocol.class, "saml").createProtocolEndpoint(this.session, this.event)).getOrCreateLoginSessionForIdpInitiatedSso(this.session, this.realm, clientModel, null);
        if (orCreateLoginSessionForIdpInitiatedSso == null) {
            logger.error("SAML assertion consumer url not set up");
            throw new CorsErrorResponseException(this.cors, "invalid_client", "Client requires assertion consumer url set up", Response.Status.BAD_REQUEST);
        }
        orCreateLoginSessionForIdpInitiatedSso.setAuthenticatedUser(userModel);
        this.event.session(userSessionModel);
        AuthenticationManager.setClientScopesInSession(orCreateLoginSessionForIdpInitiatedSso);
        ClientSessionContext attachAuthenticationSession = TokenManager.attachAuthenticationSession(this.session, userSessionModel, orCreateLoginSessionForIdpInitiatedSso);
        updateUserSessionFromClientAuth(userSessionModel);
        SamlClient samlClient = new SamlClient(clientModel);
        Response authenticated = new TokenEndpoint.TokenExchangeSamlProtocol(samlClient).m461setEventBuilder(this.event).m462setHttpHeaders(this.headers).m464setRealm(this.realm).m465setSession(this.session).m463setUriInfo((UriInfo) this.session.getContext().getUri()).authenticated(orCreateLoginSessionForIdpInitiatedSso, userSessionModel, attachAuthenticationSession);
        if (authenticated.getStatus() != 200) {
            throw new CorsErrorResponseException(this.cors, "invalid_request", "Can not get SAML 2.0 token", Response.Status.BAD_REQUEST);
        }
        String encode = Base64Url.encode(((String) authenticated.getEntity()).getBytes(GeneralConstants.SAML_CHARSET));
        int assertionLifespan = samlClient.getAssertionLifespan();
        AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
        accessTokenResponse.setToken(encode);
        accessTokenResponse.setTokenType("Bearer");
        accessTokenResponse.setExpiresIn(assertionLifespan <= 0 ? this.realm.getAccessCodeLifespan() : assertionLifespan);
        accessTokenResponse.setOtherClaims("issued_token_type", str);
        this.event.detail("audience", clientModel.getClientId()).user(userModel);
        this.event.success();
        return this.cors.builder(Response.ok(accessTokenResponse, MediaType.APPLICATION_JSON_TYPE)).build();
    }

    protected Response exchangeExternalToken(String str, String str2) {
        AtomicReference atomicReference = new AtomicReference(null);
        AtomicReference atomicReference2 = new AtomicReference(null);
        this.realm.getIdentityProvidersStream().filter(identityProviderModel -> {
            ExchangeExternalToken create = IdentityBrokerService.getIdentityProviderFactory(this.session, identityProviderModel).create(this.session, identityProviderModel);
            if (!(create instanceof ExchangeExternalToken)) {
                return false;
            }
            ExchangeExternalToken exchangeExternalToken = create;
            if (!identityProviderModel.getAlias().equals(str) && !exchangeExternalToken.isIssuer(str, this.formParams)) {
                return false;
            }
            atomicReference.set(exchangeExternalToken);
            atomicReference2.set(identityProviderModel);
            return true;
        }).findFirst();
        if (atomicReference.get() == null) {
            this.event.error("invalid_issuer");
            throw new CorsErrorResponseException(this.cors, "invalid_issuer", "Invalid subject_issuer parameter", Response.Status.BAD_REQUEST);
        }
        if (!AdminPermissions.management(this.session, this.realm).idps().canExchangeTo(this.client, (IdentityProviderModel) atomicReference2.get())) {
            this.event.detail("reason", "client not allowed to exchange subject_issuer");
            this.event.error("not_allowed");
            throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
        }
        BrokeredIdentityContext exchangeExternal = ((ExchangeExternalToken) atomicReference.get()).exchangeExternal(this.event, this.formParams);
        if (exchangeExternal == null) {
            this.event.error("invalid_issuer");
            throw new CorsErrorResponseException(this.cors, "invalid_issuer", "Invalid subject_issuer parameter", Response.Status.BAD_REQUEST);
        }
        UserModel importUserFromExternalIdentity = importUserFromExternalIdentity(exchangeExternal);
        UserSessionModel createUserSession = new UserSessionManager(this.session).createUserSession(this.realm, importUserFromExternalIdentity, importUserFromExternalIdentity.getUsername(), this.clientConnection.getRemoteAddr(), "external-exchange", false, null, null);
        ((ExchangeExternalToken) atomicReference.get()).exchangeExternalComplete(createUserSession, exchangeExternal, this.formParams);
        createUserSession.setNote("EXTERNAL_IDENTITY_PROVIDER", ((IdentityProviderModel) atomicReference2.get()).getAlias());
        createUserSession.setNote("FEDERATED_ACCESS_TOKEN", str2);
        exchangeExternal.addSessionNotesToUserSession(createUserSession);
        return exchangeClientToClient(importUserFromExternalIdentity, createUserSession, null, false);
    }

    protected UserModel importUserFromExternalIdentity(BrokeredIdentityContext brokeredIdentityContext) {
        String alias = brokeredIdentityContext.getIdpConfig().getAlias();
        brokeredIdentityContext.getIdp().preprocessFederatedIdentity(this.session, this.realm, brokeredIdentityContext);
        Set<IdentityProviderMapperModel> set = (Set) this.realm.getIdentityProviderMappersByAliasStream(brokeredIdentityContext.getIdpConfig().getAlias()).collect(Collectors.toSet());
        KeycloakSessionFactory keycloakSessionFactory = this.session.getKeycloakSessionFactory();
        for (IdentityProviderMapperModel identityProviderMapperModel : set) {
            keycloakSessionFactory.getProviderFactory(IdentityProviderMapper.class, identityProviderMapperModel.getIdentityProviderMapper()).preprocessFederatedIdentity(this.session, this.realm, identityProviderMapperModel, brokeredIdentityContext);
        }
        UserModel userByFederatedIdentity = brokeredIdentityContext.getIdpConfig().isTransientUsers() ? null : this.session.users().getUserByFederatedIdentity(this.realm, new FederatedIdentityModel(alias, brokeredIdentityContext.getId(), brokeredIdentityContext.getUsername(), brokeredIdentityContext.getToken()));
        if (userByFederatedIdentity == null || brokeredIdentityContext.getIdpConfig().isTransientUsers()) {
            logger.debugf("Federated user not found for provider '%s' and broker username '%s'.", alias, brokeredIdentityContext.getUsername());
            String modelUsername = brokeredIdentityContext.getModelUsername();
            if (modelUsername == null) {
                modelUsername = (!this.realm.isRegistrationEmailAsUsername() || Validation.isBlank(brokeredIdentityContext.getEmail())) ? brokeredIdentityContext.getUsername() == null ? brokeredIdentityContext.getIdpConfig().getAlias() + "." + brokeredIdentityContext.getId() : brokeredIdentityContext.getUsername() : brokeredIdentityContext.getEmail();
            }
            String trim = modelUsername.trim();
            brokeredIdentityContext.setModelUsername(trim);
            if (brokeredIdentityContext.getEmail() != null && !this.realm.isDuplicateEmailsAllowed() && this.session.users().getUserByEmail(this.realm, brokeredIdentityContext.getEmail()) != null) {
                this.event.error("federated_identity_account_exists");
                throw new CorsErrorResponseException(this.cors, "invalid_token", "User already exists", Response.Status.BAD_REQUEST);
            }
            if (this.session.users().getUserByUsername(this.realm, trim) != null) {
                this.event.error("federated_identity_account_exists");
                throw new CorsErrorResponseException(this.cors, "invalid_token", "User already exists", Response.Status.BAD_REQUEST);
            }
            userByFederatedIdentity = brokeredIdentityContext.getIdpConfig().isTransientUsers() ? new LightweightUserAdapter(this.session, brokeredIdentityContext.getAuthenticationSession().getParentSession().getId()) : this.session.users().addUser(this.realm, trim);
            userByFederatedIdentity.setEnabled(true);
            userByFederatedIdentity.setEmail(brokeredIdentityContext.getEmail());
            userByFederatedIdentity.setFirstName(brokeredIdentityContext.getFirstName());
            userByFederatedIdentity.setLastName(brokeredIdentityContext.getLastName());
            if (!brokeredIdentityContext.getIdpConfig().isTransientUsers()) {
                this.session.users().addFederatedIdentity(this.realm, userByFederatedIdentity, new FederatedIdentityModel(brokeredIdentityContext.getIdpConfig().getAlias(), brokeredIdentityContext.getId(), brokeredIdentityContext.getModelUsername(), brokeredIdentityContext.getToken()));
            }
            brokeredIdentityContext.getIdp().importNewUser(this.session, this.realm, userByFederatedIdentity, brokeredIdentityContext);
            for (IdentityProviderMapperModel identityProviderMapperModel2 : set) {
                keycloakSessionFactory.getProviderFactory(IdentityProviderMapper.class, identityProviderMapperModel2.getIdentityProviderMapper()).importNewUser(this.session, this.realm, userByFederatedIdentity, identityProviderMapperModel2, brokeredIdentityContext);
            }
            if (brokeredIdentityContext.getIdpConfig().isTrustEmail() && !Validation.isBlank(userByFederatedIdentity.getEmail())) {
                logger.debugf("Email verified automatically after registration of user '%s' through Identity provider '%s' ", userByFederatedIdentity.getUsername(), brokeredIdentityContext.getIdpConfig().getAlias());
                userByFederatedIdentity.setEmailVerified(true);
            }
            this.event.clone().event(EventType.REGISTER).user(userByFederatedIdentity.getId()).detail("register_method", AdminPermissionManagement.TOKEN_EXCHANGE).detail("email", userByFederatedIdentity.getEmail()).detail("identity_provider", alias).success();
        } else {
            if (!userByFederatedIdentity.isEnabled()) {
                this.event.error("user_disabled");
                throw new CorsErrorResponseException(this.cors, "invalid_token", "Invalid Token", Response.Status.BAD_REQUEST);
            }
            String disabledByBruteForceEventError = AuthenticatorUtils.getDisabledByBruteForceEventError(this.session.getProvider(BruteForceProtector.class), this.session, this.realm, userByFederatedIdentity);
            if (disabledByBruteForceEventError != null) {
                this.event.error(disabledByBruteForceEventError);
                throw new CorsErrorResponseException(this.cors, "invalid_token", "Invalid Token", Response.Status.BAD_REQUEST);
            }
            brokeredIdentityContext.getIdp().updateBrokeredUser(this.session, this.realm, userByFederatedIdentity, brokeredIdentityContext);
            for (IdentityProviderMapperModel identityProviderMapperModel3 : set) {
                IdentityProviderMapperSyncModeDelegate.delegateUpdateBrokeredUser(this.session, this.realm, userByFederatedIdentity, identityProviderMapperModel3, brokeredIdentityContext, keycloakSessionFactory.getProviderFactory(IdentityProviderMapper.class, identityProviderMapperModel3.getIdentityProviderMapper()));
            }
        }
        for (Map.Entry entry : brokeredIdentityContext.getAttributes().entrySet()) {
            if (!"username".equalsIgnoreCase((String) entry.getKey())) {
                userByFederatedIdentity.setAttribute((String) entry.getKey(), (List) entry.getValue());
            }
        }
        return userByFederatedIdentity;
    }

    private void updateUserSessionFromClientAuth(UserSessionModel userSessionModel) {
        for (Map.Entry<String, String> entry : this.clientAuthAttributes.entrySet()) {
            userSessionModel.setNote(entry.getKey(), entry.getValue());
        }
    }
}
