package org.alfresco.web.site.servlet;

import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Objects;
import java.util.UUID;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.web.site.servlet.config.AIMSConfig;
import org.alfresco.web.site.servlet.config.CustomAuthorizationRequestResolver;
import org.alfresco.web.site.servlet.config.SecurityUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.json.JSONException;
import org.json.JSONObject;
import org.springframework.context.ApplicationContext;
import org.springframework.extensions.surf.FrameworkUtil;
import org.springframework.extensions.surf.RequestContext;
import org.springframework.extensions.surf.ServletUtil;
import org.springframework.extensions.surf.exception.ConnectorServiceException;
import org.springframework.extensions.surf.exception.RequestContextException;
import org.springframework.extensions.surf.exception.UserFactoryException;
import org.springframework.extensions.surf.site.AuthenticationUtil;
import org.springframework.extensions.surf.support.ServletRequestContextFactory;
import org.springframework.extensions.surf.support.ThreadLocalRequestContext;
import org.springframework.extensions.webscripts.connector.Connector;
import org.springframework.extensions.webscripts.connector.ConnectorContext;
import org.springframework.extensions.webscripts.connector.ConnectorService;
import org.springframework.extensions.webscripts.connector.CredentialVault;
import org.springframework.extensions.webscripts.connector.Credentials;
import org.springframework.extensions.webscripts.connector.HttpMethod;
import org.springframework.extensions.webscripts.connector.Response;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.ClientAuthorizationRequiredException;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken;
import org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.DefaultRefreshTokenTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
import org.springframework.security.oauth2.client.endpoint.OAuth2RefreshTokenGrantRequest;
import org.springframework.security.oauth2.client.oidc.authentication.OidcIdTokenDecoderFactory;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
import org.springframework.security.oauth2.client.web.AuthorizationRequestRepository;
import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizationRequestRepository;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.savedrequest.SavedRequest;
import org.springframework.security.web.util.ThrowableAnalyzer;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.context.request.ServletWebRequest;
import org.springframework.web.context.support.WebApplicationContextUtils;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:org/alfresco/web/site/servlet/AIMSFilter.class */
public class AIMSFilter implements Filter {
    private static final Log LOGGER = LogFactory.getLog(AIMSFilter.class);
    private ApplicationContext context;
    private ConnectorService connectorService;
    private SlingshotLoginController loginController;
    public static final String ALFRESCO_ENDPOINT_ID = "alfresco";
    public static final String ALFRESCO_API_ENDPOINT_ID = "alfresco-api";
    public static final String SHARE_AIMS_LOGOUT = "/share/page/aims/logout";
    public static final String DEFAULT_AUTHORIZATION_REQUEST_BASE_URI = "/oauth2/authorization";
    private ClientRegistrationRepository clientRegistrationRepository;
    private OAuth2AuthorizedClientService oauth2ClientService;
    private OAuth2AuthorizationRequestResolver authorizationRequestResolver;
    private RequestCache requestCache;
    private AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository;
    private ThrowableAnalyzer throwableAnalyzer;
    private String clientId;
    private boolean enabled = false;
    private final AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
    private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
    private final OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient = new DefaultAuthorizationCodeTokenResponseClient();
    private final DefaultRefreshTokenTokenResponseClient refreshTokenResponseClient = new DefaultRefreshTokenTokenResponseClient();
    private final JwtDecoderFactory<ClientRegistration> jwtDecoderFactory = new OidcIdTokenDecoderFactory();
    private final GrantedAuthoritiesMapper authoritiesMapper = collection -> {
        return collection;
    };
    private final OAuth2UserService<OidcUserRequest, OidcUser> userService = new OidcUserService();
    private final RedirectStrategy authorizationRedirectStrategy = new DefaultRedirectStrategy();

    public void init(FilterConfig filterConfig) throws ServletException {
        if (LOGGER.isInfoEnabled()) {
            LOGGER.info("Initializing the AIMS filter.");
        }
        this.context = WebApplicationContextUtils.getRequiredWebApplicationContext(filterConfig.getServletContext());
        AIMSConfig aIMSConfig = (AIMSConfig) this.context.getBean("aims.config");
        this.enabled = aIMSConfig.isEnabled();
        if (this.enabled) {
            this.clientId = aIMSConfig.getResource();
            this.clientRegistrationRepository = (ClientRegistrationRepository) this.context.getBean(ClientRegistrationRepository.class);
            this.oauth2ClientService = (OAuth2AuthorizedClientService) this.context.getBean(OAuth2AuthorizedClientService.class);
            this.requestCache = new HttpSessionRequestCache();
            this.authorizationRequestResolver = new CustomAuthorizationRequestResolver(this.clientRegistrationRepository, DEFAULT_AUTHORIZATION_REQUEST_BASE_URI);
            this.authorizationRequestRepository = new HttpSessionOAuth2AuthorizationRequestRepository();
            this.throwableAnalyzer = new SecurityUtils.DefaultThrowableAnalyzer();
        }
        this.connectorService = (ConnectorService) this.context.getBean("connector.service");
        this.loginController = (SlingshotLoginController) this.context.getBean("loginController");
        if (LOGGER.isInfoEnabled()) {
            LOGGER.info("AIMS filter initialized.");
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        SecurityContext securityContext;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpSession session = httpServletRequest.getSession();
        boolean z = false;
        if (null != session && this.enabled && null != (securityContext = (SecurityContext) session.getAttribute("SPRING_SECURITY_CONTEXT"))) {
            z = securityContext.getAuthentication().isAuthenticated();
            if (z) {
                try {
                    refreshToken(securityContext, session);
                } catch (Exception e) {
                    LOGGER.error("Resulted in Error while doing refresh token " + e.getMessage());
                    session.invalidate();
                    if (!httpServletRequest.getRequestURI().contains(SHARE_AIMS_LOGOUT)) {
                        z = false;
                    }
                }
            }
        }
        if (z || !this.enabled) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (matchesAuthorizationResponse(httpServletRequest)) {
            processAuthorizationResponse(httpServletRequest, httpServletResponse, session);
            return;
        }
        try {
            this.requestCache.saveRequest(httpServletRequest, httpServletResponse);
            OAuth2AuthorizationRequest resolve = this.authorizationRequestResolver.resolve(httpServletRequest, this.clientId);
            if (resolve != null) {
                sendRedirectForAuthorization(httpServletRequest, httpServletResponse, resolve);
                return;
            }
            try {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            } catch (IOException e2) {
                throw e2;
            } catch (Exception e3) {
                ClientAuthorizationRequiredException firstThrowableOfType = this.throwableAnalyzer.getFirstThrowableOfType(ClientAuthorizationRequiredException.class, this.throwableAnalyzer.determineCauseChain(e3));
                if (firstThrowableOfType == null) {
                    if (e3 instanceof ServletException) {
                        throw e3;
                    }
                    if (!(e3 instanceof RuntimeException)) {
                        throw new RuntimeException((Throwable) e3);
                    }
                    throw ((RuntimeException) e3);
                }
                try {
                    OAuth2AuthorizationRequest resolve2 = this.authorizationRequestResolver.resolve(httpServletRequest, firstThrowableOfType.getClientRegistrationId());
                    if (resolve2 == null) {
                        throw firstThrowableOfType;
                    }
                    sendRedirectForAuthorization(httpServletRequest, httpServletResponse, resolve2);
                    this.requestCache.saveRequest(httpServletRequest, httpServletResponse);
                } catch (Exception e4) {
                    unsuccessfulRedirectForAuthorization(httpServletResponse);
                }
            }
        } catch (Exception e5) {
            unsuccessfulRedirectForAuthorization(httpServletResponse);
        }
    }

    private void onSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession, OAuth2LoginAuthenticationToken oAuth2LoginAuthenticationToken) {
        if (LOGGER.isInfoEnabled()) {
            LOGGER.info("Completing the AIMS authentication.");
        }
        String str = (String) oAuth2LoginAuthenticationToken.getPrincipal().getAttribute("preferred_username");
        String tokenValue = oAuth2LoginAuthenticationToken.getAccessToken().getTokenValue();
        synchronized (this) {
            try {
                initRequestContext(httpServletRequest, httpServletResponse);
                String alfTicket = getAlfTicket(httpSession, str, tokenValue);
                if (alfTicket != null) {
                    httpSession.setAttribute("_alf_USER_ID", str);
                    httpSession.setAttribute("_alfExternalAuthAIMS", true);
                    this.connectorService.getConnector(ALFRESCO_ENDPOINT_ID, str, httpSession).getConnectorSession().setParameter("alfTicket", alfTicket);
                    CredentialVault credentialVault = FrameworkUtil.getCredentialVault(httpSession, str);
                    Credentials newCredentials = credentialVault.newCredentials(ALFRESCO_ENDPOINT_ID);
                    newCredentials.setProperty("cleartextUsername", str);
                    credentialVault.store(newCredentials);
                    this.loginController.beforeSuccess(httpServletRequest, httpServletResponse);
                    initUser(httpServletRequest);
                } else {
                    LOGGER.error("Could not get an alfTicket from Repository.");
                }
            } catch (Exception e) {
                throw new AlfrescoRuntimeException("Failed to complete AIMS authentication process.", e);
            }
        }
    }

    private void initRequestContext(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws RequestContextException {
        if (ThreadLocalRequestContext.getRequestContext() == null) {
            httpServletRequest.setAttribute("requestContext", ((ServletRequestContextFactory) this.context.getBean("webframework.factory.requestcontext.servlet")).newInstance(new ServletWebRequest(httpServletRequest)));
        }
        RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpServletRequest, httpServletResponse));
        ServletUtil.setRequest(httpServletRequest);
    }

    private void initUser(HttpServletRequest httpServletRequest) throws UserFactoryException {
        RequestContext requestContext = ThreadLocalRequestContext.getRequestContext();
        if (requestContext == null || requestContext.getUser() != null) {
            return;
        }
        requestContext.setUser(requestContext.getServiceRegistry().getUserFactory().initialiseUser(requestContext, httpServletRequest, (String) requestContext.getAttribute("alfUserEndpoint")));
    }

    private String getAlfTicket(HttpSession httpSession, String str, String str2) throws ConnectorServiceException {
        if (LOGGER.isInfoEnabled()) {
            LOGGER.info("Retrieving the Alfresco Ticket from Repository.");
        }
        String str3 = null;
        Connector connector = this.connectorService.getConnector(ALFRESCO_API_ENDPOINT_ID, str, httpSession);
        ConnectorContext connectorContext = new ConnectorContext(HttpMethod.GET, (Map) null, Collections.singletonMap("Authorization", "Bearer " + str2));
        connectorContext.setContentType("application/json");
        Response call = connector.call("/-default-/public/authentication/versions/1/tickets/-me-?noCache=" + UUID.randomUUID().toString(), connectorContext);
        if (200 == call.getStatus().getCode()) {
            try {
                str3 = new JSONObject(call.getText()).getJSONObject("entry").getString("id");
            } catch (JSONException e) {
                if (LOGGER.isErrorEnabled()) {
                    LOGGER.error("Failed to parse Alfresco Ticket from Repository response.");
                }
            }
        } else if (LOGGER.isErrorEnabled()) {
            LOGGER.error("Failed to retrieve Alfresco Ticket from Repository.");
        }
        return str3;
    }

    private boolean matchesAuthorizationResponse(HttpServletRequest httpServletRequest) {
        OAuth2AuthorizationRequest loadAuthorizationRequest;
        if (!SecurityUtils.isAuthorizationResponse(SecurityUtils.toMultiMap(httpServletRequest.getParameterMap())) || (loadAuthorizationRequest = this.authorizationRequestRepository.loadAuthorizationRequest(httpServletRequest)) == null) {
            return false;
        }
        UriComponents build = UriComponentsBuilder.fromUriString(UrlUtils.buildFullRequestUrl(httpServletRequest)).build();
        UriComponents build2 = UriComponentsBuilder.fromUriString(loadAuthorizationRequest.getRedirectUri()).build();
        LinkedHashSet linkedHashSet = new LinkedHashSet(build.getQueryParams().entrySet());
        LinkedHashSet linkedHashSet2 = new LinkedHashSet(build2.getQueryParams().entrySet());
        linkedHashSet.retainAll(linkedHashSet2);
        return Objects.equals(build.getScheme(), build2.getScheme()) && Objects.equals(build.getUserInfo(), build2.getUserInfo()) && Objects.equals(build.getHost(), build2.getHost()) && Objects.equals(Integer.valueOf(build.getPort()), Integer.valueOf(build2.getPort())) && Objects.equals(build.getPath(), build2.getPath()) && Objects.equals(linkedHashSet.toString(), linkedHashSet2.toString());
    }

    private synchronized void processAuthorizationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession) throws IOException {
        OAuth2AuthorizationRequest removeAuthorizationRequest = this.authorizationRequestRepository.removeAuthorizationRequest(httpServletRequest, httpServletResponse);
        OAuth2LoginAuthenticationToken oAuth2LoginAuthenticationToken = new OAuth2LoginAuthenticationToken(this.clientRegistrationRepository.findByRegistrationId(this.clientId), new OAuth2AuthorizationExchange(removeAuthorizationRequest, SecurityUtils.convert(SecurityUtils.toMultiMap(httpServletRequest.getParameterMap()), UrlUtils.buildFullRequestUrl(httpServletRequest))));
        oAuth2LoginAuthenticationToken.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
        try {
            OAuth2LoginAuthenticationToken oAuth2LoginAuthenticationToken2 = (OAuth2LoginAuthenticationToken) authenticate(oAuth2LoginAuthenticationToken);
            SecurityContextHolder.clearContext();
            SecurityContextHolder.getContext().setAuthentication(oAuth2LoginAuthenticationToken2);
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            this.oauth2ClientService.saveAuthorizedClient(new OAuth2AuthorizedClient(oAuth2LoginAuthenticationToken2.getClientRegistration(), authentication != null ? authentication.getPrincipal().toString() : "anonymousUser", oAuth2LoginAuthenticationToken2.getAccessToken(), oAuth2LoginAuthenticationToken2.getRefreshToken()), authentication);
            String redirectUri = removeAuthorizationRequest.getRedirectUri();
            SavedRequest request = this.requestCache.getRequest(httpServletRequest, httpServletResponse);
            httpSession.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext());
            if (SecurityContextHolder.getContext() != null && !AuthenticationUtil.isAuthenticated(httpServletRequest)) {
                onSuccess(httpServletRequest, httpServletResponse, httpSession, oAuth2LoginAuthenticationToken2);
            }
            if (request != null) {
                redirectUri = request.getRedirectUrl();
                this.requestCache.removeRequest(httpServletRequest, httpServletResponse);
            }
            this.redirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, redirectUri);
        } catch (OAuth2AuthorizationException e) {
            OAuth2Error error = e.getError();
            UriComponentsBuilder queryParam = UriComponentsBuilder.fromUriString(removeAuthorizationRequest.getRedirectUri()).queryParam("error", new Object[]{error.getErrorCode()});
            if (!StringUtils.isEmpty(error.getDescription())) {
                queryParam.queryParam("error_description", new Object[]{error.getDescription()});
            }
            if (!StringUtils.isEmpty(error.getUri())) {
                queryParam.queryParam("error_uri", new Object[]{error.getUri()});
            }
            this.redirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, queryParam.build().encode().toString());
        }
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2LoginAuthenticationToken oAuth2LoginAuthenticationToken = (OAuth2LoginAuthenticationToken) authentication;
        if (!oAuth2LoginAuthenticationToken.getAuthorizationExchange().getAuthorizationRequest().getScopes().contains("openid")) {
            return null;
        }
        OAuth2AuthorizationRequest authorizationRequest = oAuth2LoginAuthenticationToken.getAuthorizationExchange().getAuthorizationRequest();
        OAuth2AuthorizationResponse authorizationResponse = oAuth2LoginAuthenticationToken.getAuthorizationExchange().getAuthorizationResponse();
        if (authorizationResponse.statusError()) {
            throw new OAuth2AuthenticationException(authorizationResponse.getError(), authorizationResponse.getError().toString());
        }
        if (!authorizationResponse.getState().equals(authorizationRequest.getState())) {
            OAuth2Error oAuth2Error = new OAuth2Error("invalid_state_parameter");
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
        }
        try {
            OAuth2AccessTokenResponse tokenResponse = this.accessTokenResponseClient.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(oAuth2LoginAuthenticationToken.getClientRegistration(), oAuth2LoginAuthenticationToken.getAuthorizationExchange()));
            ClientRegistration clientRegistration = oAuth2LoginAuthenticationToken.getClientRegistration();
            Map additionalParameters = tokenResponse.getAdditionalParameters();
            if (!additionalParameters.containsKey("id_token")) {
                OAuth2Error oAuth2Error2 = new OAuth2Error("invalid_id_token", "Missing (required) ID Token in Token Response for Client Registration: " + clientRegistration.getRegistrationId(), (String) null);
                throw new OAuth2AuthenticationException(oAuth2Error2, oAuth2Error2.toString());
            }
            OidcIdToken createOidcToken = createOidcToken(clientRegistration, tokenResponse);
            String str = (String) authorizationRequest.getAttribute("nonce");
            if (str != null) {
                try {
                    String createHash = createHash(str);
                    String nonce = createOidcToken.getNonce();
                    if (nonce == null || !nonce.equals(createHash)) {
                        OAuth2Error oAuth2Error3 = new OAuth2Error("invalid_nonce");
                        throw new OAuth2AuthenticationException(oAuth2Error3, oAuth2Error3.toString());
                    }
                } catch (NoSuchAlgorithmException e) {
                    OAuth2Error oAuth2Error4 = new OAuth2Error("invalid_nonce");
                    throw new OAuth2AuthenticationException(oAuth2Error4, oAuth2Error4.toString());
                }
            }
            OidcUser loadUser = this.userService.loadUser(new OidcUserRequest(clientRegistration, tokenResponse.getAccessToken(), createOidcToken, additionalParameters));
            OAuth2LoginAuthenticationToken oAuth2LoginAuthenticationToken2 = new OAuth2LoginAuthenticationToken(oAuth2LoginAuthenticationToken.getClientRegistration(), oAuth2LoginAuthenticationToken.getAuthorizationExchange(), loadUser, this.authoritiesMapper.mapAuthorities(loadUser.getAuthorities()), tokenResponse.getAccessToken(), tokenResponse.getRefreshToken());
            oAuth2LoginAuthenticationToken2.setDetails(oAuth2LoginAuthenticationToken.getDetails());
            return oAuth2LoginAuthenticationToken2;
        } catch (OAuth2AuthorizationException e2) {
            OAuth2Error error = e2.getError();
            throw new OAuth2AuthenticationException(error, error.toString());
        }
    }

    private OidcIdToken createOidcToken(ClientRegistration clientRegistration, OAuth2AccessTokenResponse oAuth2AccessTokenResponse) {
        try {
            Jwt decode = this.jwtDecoderFactory.createDecoder(clientRegistration).decode((String) oAuth2AccessTokenResponse.getAdditionalParameters().get("id_token"));
            OAuth2TokenValidatorResult validate = validate(decode, clientRegistration.getProviderDetails());
            if (validate.hasErrors()) {
                throw new OAuth2AuthenticationException(new OAuth2Error("invalid_issue_uri", ((OAuth2Error) validate.getErrors().stream().filter((v0) -> {
                    return Objects.nonNull(v0);
                }).findFirst().get()).getDescription(), (String) null));
            }
            return new OidcIdToken(decode.getTokenValue(), decode.getIssuedAt(), decode.getExpiresAt(), decode.getClaims());
        } catch (JwtException e) {
            OAuth2Error oAuth2Error = new OAuth2Error("invalid_id_token", e.getMessage(), (String) null);
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString(), e);
        }
    }

    static String createHash(String str) throws NoSuchAlgorithmException {
        return Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigest.getInstance("SHA-256").digest(str.getBytes(StandardCharsets.US_ASCII)));
    }

    private void sendRedirectForAuthorization(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth2AuthorizationRequest oAuth2AuthorizationRequest) throws IOException {
        if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(oAuth2AuthorizationRequest.getGrantType())) {
            this.authorizationRequestRepository.saveAuthorizationRequest(oAuth2AuthorizationRequest, httpServletRequest, httpServletResponse);
        }
        this.authorizationRedirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, oAuth2AuthorizationRequest.getAuthorizationRequestUri());
    }

    private void unsuccessfulRedirectForAuthorization(HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.sendError(HttpStatus.INTERNAL_SERVER_ERROR.value(), HttpStatus.INTERNAL_SERVER_ERROR.getReasonPhrase());
    }

    private synchronized void refreshToken(SecurityContext securityContext, HttpSession httpSession) {
        OAuth2LoginAuthenticationToken authentication = securityContext.getAuthentication();
        ClientRegistration clientRegistration = authentication.getClientRegistration();
        OAuth2AccessTokenResponse tokenResponse = this.refreshTokenResponseClient.getTokenResponse(new OAuth2RefreshTokenGrantRequest(clientRegistration, authentication.getAccessToken(), authentication.getRefreshToken()));
        OidcUser loadUser = this.userService.loadUser(new OidcUserRequest(clientRegistration, tokenResponse.getAccessToken(), createOidcToken(clientRegistration, tokenResponse), tokenResponse.getAdditionalParameters()));
        OAuth2LoginAuthenticationToken oAuth2LoginAuthenticationToken = new OAuth2LoginAuthenticationToken(clientRegistration, authentication.getAuthorizationExchange(), loadUser, this.authoritiesMapper.mapAuthorities(loadUser.getAuthorities()), tokenResponse.getAccessToken(), tokenResponse.getRefreshToken());
        oAuth2LoginAuthenticationToken.setDetails(authentication.getDetails());
        this.oauth2ClientService.saveAuthorizedClient(new OAuth2AuthorizedClient(clientRegistration, authentication.getName(), tokenResponse.getAccessToken(), tokenResponse.getRefreshToken()), oAuth2LoginAuthenticationToken);
        securityContext.setAuthentication(oAuth2LoginAuthenticationToken);
        httpSession.setAttribute("SPRING_SECURITY_CONTEXT", securityContext);
    }

    public OAuth2TokenValidatorResult validate(Jwt jwt, ClientRegistration.ProviderDetails providerDetails) {
        Object claim = jwt.getClaim("iss");
        String issuerUri = providerDetails.getIssuerUri();
        return (claim == null || !issuerUri.equals(claim.toString())) ? OAuth2TokenValidatorResult.failure(new OAuth2Error[]{new OAuth2Error("invalid_token", "The iss claim is not valid. Expected " + issuerUri + " but got " + claim, "https://tools.ietf.org/html/rfc6750#section-3.1")}) : OAuth2TokenValidatorResult.success();
    }
}
