package com.ibm.ws.security.openidconnect.client.internal;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.json.java.JSONArray;
import com.ibm.json.java.JSONObject;
import com.ibm.websphere.crypto.PasswordUtil;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.ssl.SSLException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.config.CommonConfigUtils;
import com.ibm.ws.security.common.jwk.impl.JWKSet;
import com.ibm.ws.security.openidconnect.clients.common.HashUtils;
import com.ibm.ws.security.openidconnect.clients.common.OIDCClientAuthenticatorUtil;
import com.ibm.ws.security.openidconnect.clients.common.OidcClientConfig;
import com.ibm.ws.security.openidconnect.clients.common.OidcUtil;
import com.ibm.ws.security.openidconnect.common.ConfigUtils;
import com.ibm.ws.ssl.KeyStoreService;
import com.ibm.wsspi.kernel.service.location.WsLocationAdmin;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.kernel.service.utils.SerializableProtectedString;
import com.ibm.wsspi.ssl.SSLSupport;
import java.io.IOException;
import java.security.KeyStoreException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Dictionary;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.net.ssl.SSLSocketFactory;
import org.apache.http.HttpResponse;
import org.apache.http.StatusLine;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.AllowAllHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.StrictHostnameVerifier;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.util.EntityUtils;
import org.osgi.framework.ServiceReference;
import org.osgi.service.cm.Configuration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(configurationPid = {"com.ibm.ws.security.openidconnect.client.oidcClientConfig"}, configurationPolicy = ConfigurationPolicy.REQUIRE, service = {OidcClientConfig.class}, property = {"service.vendor=IBM"})
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/openidconnect/client/internal/OidcClientConfigImpl.class */
public class OidcClientConfigImpl implements OidcClientConfig {
    public static final String KEY_SSL_SUPPORT = "sslSupport";
    public static final String CFG_KEY_ID = "id";
    public static final String CFG_KEY_GRANT_TYPE = "grantType";
    public static final String CFG_KEY_RESPONSE_TYPE = "responseType";
    public static final String CFG_KEY_SCOPE = "scope";
    public static final String CFG_KEY_CLIENT_ID = "clientId";
    public static final String CFG_KEY_CLIENT_SECRET = "clientSecret";
    public static final String CFG_KEY_REDIRECT_TO_RP_HOST_AND_PORT = "redirectToRPHostAndPort";
    public static final String CFG_KEY_USER_IDENTIFIER = "userIdentifier";
    public static final String CFG_KEY_GROUP_IDENTIFIER = "groupIdentifier";
    public static final String CFG_KEY_REALM_IDENTIFIER = "realmIdentifier";
    public static final String CFG_KEY_REALM_NAME = "realmName";
    public static final String CFG_KEY_UNIQUE_USER_IDENTIFIER = "uniqueUserIdentifier";
    public static final String CFG_KEY_TOKEN_ENDPOINT_AUTH_METHOD = "tokenEndpointAuthMethod";
    public static final String CFG_KEY_USER_IDENTITY_TO_CREATE_SUBJECT = "userIdentityToCreateSubject";
    public static final String CFG_KEY_MAP_IDENTITY_TO_REGISTRY_USER = "mapIdentityToRegistryUser";
    public static final String CFG_KEY_OidcclientRequestParameterSupported = "oidcclientRequestParameterSupported";
    public static final String CFG_KEY_VALIDATE_ACCESS_TOKEN_LOCALLY = "validateAccessTokenLocally";
    public static final String CFG_KEY_SHARED_KEY = "sharedKey";
    public static final String CFG_KEY_TRUST_ALIAS_NAME = "trustAliasName";
    public static final String CFG_KEY_HTTPS_REQUIRED = "httpsRequired";
    public static final String CFG_KEY_CLIENTSIDE_REDIRECT = "isClientSideRedirectSupported";
    public static final String CFG_KEY_disableLtpaCookie = "disableLtpaCookie";
    public static final String CFG_KEY_NONCE_ENABLED = "nonceEnabled";
    public static final String CFG_KEY_SSL_REF = "sslRef";
    public static final String CFG_KEY_SIGNATURE_ALGORITHM = "signatureAlgorithm";
    public static final String CFG_KEY_CLOCK_SKEW = "clockSkew";
    public static final String CFG_KEY_AUTHENTICATION_TIME_LIMIT = "authenticationTimeLimit";
    public static final String CFG_KEY_DISCOVERY_ENDPOINT_URL = "discoveryEndpointUrl";
    public static final String CFG_KEY_AUTHORIZATION_ENDPOINT_URL = "authorizationEndpointUrl";
    public static final String CFG_KEY_TOKEN_ENDPOINT_URL = "tokenEndpointUrl";
    public static final String CFG_KEY_USERINFO_ENDPOINT_URL = "userInfoEndpointUrl";
    public static final String CFG_KEY_VALIDATION_ENDPOINT_URL = "validationEndpointUrl";
    public static final String CFG_KEY_DISABLE_ISS_CHECKING = "disableIssChecking";
    public static final String CFG_KEY_INITIAL_STATE_CACHE_CAPACITY = "initialStateCacheCapacity";
    public static final String CFG_KEY_AUTO_AUTHORIZE_PARAM = "autoAuthorizeParam";
    public static final String CFG_KEY_ISSUER_IDENTIFIER = "issuerIdentifier";
    public static final String CFG_KEY_TRUSTSTORE_REF = "trustStoreRef";
    public static final String CFG_KEY_HOST_NAME_VERIFICATION_ENABLED = "hostNameVerificationEnabled";
    public static final String CFG_KEY_INCLUDE_ID_TOKEN_IN_SUBJECT = "includeIdTokenInSubject";
    public static final String CFG_KEY_INCLUDE_CUSTOM_CACHE_KEY_IN_SUBJECT = "includeCustomCacheKeyInSubject";
    public static final String CFG_KEY_AUTH_CONTEXT_CLASS_REFERENCE = "authContextClassReference";
    public static final String CFG_KEY_AUTH_FILTER_REF = "authFilterRef";
    public static final String CFG_KEY_JSON_WEB_KEY = "jsonWebKey";
    public static final String CFG_KEY_JWK_ENDPOINT_URL = "jwkEndpointUrl";
    public static final String CFG_KEY_JWK_CLIENT_ID = "jwkClientId";
    public static final String CFG_KEY_JWK_CLIENT_SECRET = "jwkClientSecret";
    public static final String CFG_KEY_PROMPT = "prompt";
    public static final String CFG_KEY_AUDIENCES = "audiences";
    public static final String CFG_KEY_RESOURCES = "resource";
    public static final String CFG_KEY_CREATE_SESSION = "createSession";
    public static final String CFG_KEY_INBOUND_PROPAGATION = "inboundPropagation";
    public static final String CFG_KEY_VALIDATION_METHOD = "validationMethod";
    public static final String CFG_KEY_HEADER_NAME = "headerName";
    public static final String CFG_KEY_propagation_authnSessionDisabled = "authnSessionDisabled";
    public static final String CFG_KEY_reAuthnOnAccessTokenExpire = "reAuthnOnAccessTokenExpire";
    public static final String CFG_KEY_reAuthnCushionMilliseconds = "reAuthnCushion";
    public static final String CFG_KEY_jwt = "jwt";
    public static final String CFG_KEY_jwtRef = "builder";
    public static final String CFG_KEY_jwtClaims = "claims";
    public static final String CFG_KEY_AUTHZ_PARAM = "authzParameter";
    public static final String CFG_KEY_TOKEN_PARAM = "tokenParameter";
    public static final String CFG_KEY_USERINFO_PARAM = "userinfoParameter";
    public static final String CFG_KEY_JWK_PARAM = "jwkParameter";
    public static final String CFG_KEY_PARAM_NAME = "name";
    public static final String CFG_KEY_PARAM_VALUE = "value";
    public static final String CFG_KEY_JUNCTION_PATH = "redirectJunctionPath";
    public static final String CFG_KEY_accessTokenInLtpaCookie = "accessTokenInLtpaCookie";
    public static final String CFG_KEY_USE_ACCESS_TOKEN_AS_ID_TOKEN = "useAccessTokenAsIdToken";
    public static final String CFG_KEY_USERINFO_ENDPOINT_ENABLED = "userInfoEndpointEnabled";
    public static final String CFG_KEY_DISCOVERY_POLLING_RATE = "discoveryPollingRate";
    public static final String CFG_KEY_USE_SYSPROPS_FOR_HTTPCLIENT_CONNECTONS = "useSystemPropertiesForHttpClientConnections";
    public static final String CFG_KEY_FORWARD_LOGIN_PARAMETER = "forwardLoginParameter";
    public static final String OPDISCOVERY_AUTHZ_EP_URL = "authorization_endpoint";
    public static final String OPDISCOVERY_TOKEN_EP_URL = "token_endpoint";
    public static final String OPDISCOVERY_INTROSPECTION_EP_URL = "introspection_endpoint";
    public static final String OPDISCOVERY_JWKS_EP_URL = "jwks_uri";
    public static final String OPDISCOVERY_USERINFO_EP_URL = "userinfo_endpoint";
    public static final String OPDISCOVERY_ISSUER = "issuer";
    public static final String OPDISCOVERY_TOKEN_EP_AUTH = "token_endpoint_auth_methods_supported";
    public static final String OPDISCOVERY_SCOPES = "scopes_supported";
    public static final String OPDISCOVERY_IDTOKEN_SIGN_ALG = "id_token_signing_alg_values_supported";
    public static final String CFG_KEY_TOKEN_REUSE = "tokenReuse";
    static final String COMMA = ",";
    static final String BLANK = "";
    public static final String KEY_CONFIGURATION_ADMIN = "configurationAdmin";
    public static final String KEY_KEYSTORE_SERVICE = "keyStoreService";
    private String id;
    private String grantType;
    private String responseType;
    private String scope;
    private String clientId;
    private String clientSecret;
    private String redirectToRPHostAndPort;
    private String userIdentifier;
    private String groupIdentifier;
    private String realmIdentifier;
    private String realmName;
    private String uniqueUserIdentifier;
    private String tokenEndpointAuthMethod;
    private String userIdentityToCreateSubject;
    private boolean mapIdentityToRegistryUser;
    private boolean oidcclientRequestParameterSupported;
    private boolean validateAccessTokenLocally;
    private String sharedKey;
    private String trustAliasName;
    private boolean httpsRequired;
    private boolean clientSideRedirect;
    private boolean nonceEnabled;
    private String sslRef;
    private String sslConfigurationName;
    private String signatureAlgorithm;
    private long clockSkewInSeconds;
    private long authenticationTimeLimitInSeconds;
    private String discoveryEndpointUrl;
    private String authorizationEndpointUrl;
    private String tokenEndpointUrl;
    private String userInfoEndpointUrl;
    private boolean userInfoEndpointEnabled;
    private String validationEndpointUrl;
    private int initialStateCacheCapacity;
    private String issuerIdentifier;
    private String trustStoreRef;
    private boolean hostNameVerificationEnabled;
    private boolean includeIdTokenInSubject;
    private boolean includeCustomCacheKeyInSubject;
    private String authenticationContextClassReferenceValue;
    private String authFilterRef;
    private String authFilterId;
    private String jsonWebKey;
    private String jwkEndpointUrl;
    private String jwkClientId;
    private String jwkClientSecret;
    private String jwtRef;
    private String[] jwtClaims;
    private JWKSet jwkset;
    private String prompt;
    private boolean createSession;
    private String inboundPropagation;
    private String validationMethod;
    private String headerName;
    private boolean disableIssChecking;
    private String[] audiences;
    private String[] resources;
    private boolean useAccessTokenAsIdToken;
    private List<String> forwardLoginParameter;
    private String oidcClientCookieName;
    private boolean authnSessionDisabled;
    private boolean reAuthnOnAccessTokenExpire;
    private long reAuthnCushionMilliseconds;
    private String redirectJunctionPath;
    private long nextDiscoveryTime;
    private HashMap<String, String> authzRequestParamMap;
    private HashMap<String, String> tokenRequestParamMap;
    private HashMap<String, String> userinfoRequestParamMap;
    private HashMap<String, String> jwkRequestParamMap;
    static final long serialVersionUID = -4576737471342683909L;
    private static final TraceComponent tc = Tr.register(OidcClientConfigImpl.class, "OpenIdConnect", "com.ibm.ws.security.openidconnect.client.internal.resources.OidcClientMessages");
    static String contextPath = "/oidcclient";
    static final String KEY_LOCATION_ADMIN = "locationAdmin";
    static final AtomicServiceReference<WsLocationAdmin> locationAdminRef = new AtomicServiceReference<>(KEY_LOCATION_ADMIN);
    static String firstRandom = OidcUtil.generateRandom(32);
    protected final AtomicServiceReference<SSLSupport> sslSupportRef = new AtomicServiceReference<>("sslSupport");
    private final AtomicServiceReference<ConfigurationAdmin> configAdminRef = new AtomicServiceReference<>(KEY_CONFIGURATION_ADMIN);
    private final AtomicServiceReference<KeyStoreService> keyStoreServiceRef = new AtomicServiceReference<>(KEY_KEYSTORE_SERVICE);
    private boolean disableLtpaCookie = false;
    private boolean allAudiences = false;
    boolean goodConfig = true;
    private boolean accessTokenInLtpaCookie = false;
    private JSONObject discoveryjson = null;
    private String discoveryDocumentHash = null;
    private long discoveryPollingRate = 300000;
    private boolean discovery = false;
    private final CommonConfigUtils configUtils = new CommonConfigUtils();
    private final ConfigUtils oidcConfigUtils = new ConfigUtils(this.configAdminRef);
    private boolean useSystemPropertiesForHttpClientConnections = false;
    private boolean tokenReuse = false;

    @Reference(name = KEY_CONFIGURATION_ADMIN, service = ConfigurationAdmin.class, policy = ReferencePolicy.DYNAMIC)
    protected void setConfigurationAdmin(ServiceReference<ConfigurationAdmin> serviceReference) {
        this.configAdminRef.setReference(serviceReference);
    }

    protected void unsetConfigurationAdmin(ServiceReference<ConfigurationAdmin> serviceReference) {
        this.configAdminRef.unsetReference(serviceReference);
    }

    @Reference(name = KEY_KEYSTORE_SERVICE, service = KeyStoreService.class, cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.DYNAMIC)
    protected void setKeyStoreService(ServiceReference<KeyStoreService> serviceReference) {
        this.keyStoreServiceRef.setReference(serviceReference);
    }

    protected void unsetKeyStoreService(ServiceReference<KeyStoreService> serviceReference) {
        this.keyStoreServiceRef.unsetReference(serviceReference);
    }

    @Reference(name = KEY_LOCATION_ADMIN, service = WsLocationAdmin.class)
    protected void setLocationAdmin(ServiceReference<WsLocationAdmin> serviceReference) {
        locationAdminRef.setReference(serviceReference);
    }

    protected void unsetLocationAdmin(ServiceReference<WsLocationAdmin> serviceReference) {
        locationAdminRef.unsetReference(serviceReference);
    }

    @Reference(service = SSLSupport.class, name = "sslSupport", policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.OPTIONAL)
    protected void setSslSupport(ServiceReference<SSLSupport> serviceReference) {
        this.sslSupportRef.setReference(serviceReference);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "setSslSupport service.pid:" + serviceReference.getProperty("service.pid"), new Object[0]);
        }
    }

    protected void updatedSslSupport(ServiceReference<SSLSupport> serviceReference) {
        this.sslSupportRef.setReference(serviceReference);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "updatedtSslSupport service.pid:" + serviceReference.getProperty("service.pid"), new Object[0]);
        }
    }

    protected void unsetSslSupport(ServiceReference<SSLSupport> serviceReference) {
        this.sslSupportRef.unsetReference(serviceReference);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "unsetSslSupport service.pid:" + serviceReference.getProperty("service.pid"), new Object[0]);
        }
    }

    @Activate
    protected void activate(ComponentContext componentContext, Map<String, Object> map) {
        this.configAdminRef.activate(componentContext);
        this.sslSupportRef.activate(componentContext);
        this.keyStoreServiceRef.activate(componentContext);
        locationAdminRef.activate(componentContext);
        processConfigProps(map);
        if (isValidConfig()) {
            Tr.info(tc, "OIDC_CLIENT_CONFIG_PROCESSED", new Object[]{getId()});
        }
    }

    @Modified
    protected synchronized void modify(Map<String, Object> map) {
        processConfigProps(map);
        if (isValidConfig()) {
            Tr.info(tc, "OIDC_CLIENT_CONFIG_MODIFIED", new Object[]{getId()});
        }
    }

    @Deactivate
    protected synchronized void deactivate(ComponentContext componentContext) {
        this.configAdminRef.deactivate(componentContext);
        this.sslSupportRef.deactivate(componentContext);
        this.keyStoreServiceRef.deactivate(componentContext);
        locationAdminRef.deactivate(componentContext);
    }

    private void processConfigProps(Map<String, Object> map) {
        this.oidcClientCookieName = null;
        if (map == null || map.isEmpty()) {
            return;
        }
        this.id = (String) map.get("id");
        this.grantType = (String) map.get(CFG_KEY_GRANT_TYPE);
        this.responseType = trimIt((String) map.get(CFG_KEY_RESPONSE_TYPE));
        if (this.responseType != null) {
            if ("code".equals(this.responseType)) {
                this.grantType = "authorization_code";
            } else if (this.responseType.contains("token")) {
                this.grantType = "implicit";
            }
        } else if ("code".equals(this.grantType)) {
            this.responseType = "code";
        } else if ("implicit".equals(this.grantType)) {
            this.responseType = "id_token token";
        }
        this.useSystemPropertiesForHttpClientConnections = this.configUtils.getBooleanConfigAttribute(map, CFG_KEY_USE_SYSPROPS_FOR_HTTPCLIENT_CONNECTONS, this.useSystemPropertiesForHttpClientConnections);
        this.scope = (String) map.get(CFG_KEY_SCOPE);
        this.clientId = trimIt((String) map.get(CFG_KEY_CLIENT_ID));
        this.clientSecret = processProtectedString(map, CFG_KEY_CLIENT_SECRET);
        this.redirectToRPHostAndPort = trimIt((String) map.get(CFG_KEY_REDIRECT_TO_RP_HOST_AND_PORT));
        this.redirectJunctionPath = trimIt((String) map.get(CFG_KEY_JUNCTION_PATH));
        if (this.redirectJunctionPath != null) {
            if (!this.redirectJunctionPath.startsWith("/")) {
                this.redirectJunctionPath = "/" + this.redirectJunctionPath;
            }
            if (this.redirectJunctionPath.endsWith("/")) {
                this.redirectJunctionPath = this.redirectJunctionPath.substring(0, this.redirectJunctionPath.length() - 1);
            }
        }
        this.userIdentifier = trimIt((String) map.get(CFG_KEY_USER_IDENTIFIER));
        this.groupIdentifier = trimIt((String) map.get(CFG_KEY_GROUP_IDENTIFIER));
        this.realmIdentifier = trimIt((String) map.get(CFG_KEY_REALM_IDENTIFIER));
        this.realmName = trimIt((String) map.get(CFG_KEY_REALM_NAME));
        this.uniqueUserIdentifier = trimIt((String) map.get(CFG_KEY_UNIQUE_USER_IDENTIFIER));
        this.tokenEndpointAuthMethod = trimIt((String) map.get(CFG_KEY_TOKEN_ENDPOINT_AUTH_METHOD));
        this.userIdentityToCreateSubject = trimIt((String) map.get(CFG_KEY_USER_IDENTITY_TO_CREATE_SUBJECT));
        checkForValidValue(this.userIdentityToCreateSubject);
        this.mapIdentityToRegistryUser = ((Boolean) map.get(CFG_KEY_MAP_IDENTITY_TO_REGISTRY_USER)).booleanValue();
        this.oidcclientRequestParameterSupported = ((Boolean) map.get(CFG_KEY_OidcclientRequestParameterSupported)).booleanValue();
        this.validateAccessTokenLocally = ((Boolean) map.get(CFG_KEY_VALIDATE_ACCESS_TOKEN_LOCALLY)).booleanValue();
        this.disableLtpaCookie = ((Boolean) map.get(CFG_KEY_disableLtpaCookie)).booleanValue();
        this.sharedKey = processProtectedString(map, CFG_KEY_SHARED_KEY);
        this.trustAliasName = trimIt((String) map.get(CFG_KEY_TRUST_ALIAS_NAME));
        this.httpsRequired = ((Boolean) map.get(CFG_KEY_HTTPS_REQUIRED)).booleanValue();
        this.clientSideRedirect = ((Boolean) map.get(CFG_KEY_CLIENTSIDE_REDIRECT)).booleanValue();
        this.nonceEnabled = ((Boolean) map.get(CFG_KEY_NONCE_ENABLED)).booleanValue();
        this.sslRef = trimIt((String) map.get(CFG_KEY_SSL_REF));
        this.sslConfigurationName = this.sslRef;
        this.signatureAlgorithm = trimIt((String) map.get(CFG_KEY_SIGNATURE_ALGORITHM));
        if ("none".equals(this.signatureAlgorithm)) {
            Tr.warning(tc, "OIDC_CLIENT_NONE_ALG", new Object[]{this.id, this.signatureAlgorithm});
        }
        this.clockSkewInSeconds = ((Long) map.get(CFG_KEY_CLOCK_SKEW)).longValue() / 1000;
        this.authenticationTimeLimitInSeconds = ((Long) map.get(CFG_KEY_AUTHENTICATION_TIME_LIMIT)).longValue() / 1000;
        this.validationMethod = trimIt((String) map.get(CFG_KEY_VALIDATION_METHOD));
        this.userInfoEndpointEnabled = ((Boolean) map.get(CFG_KEY_USERINFO_ENDPOINT_ENABLED)).booleanValue();
        this.discoveryEndpointUrl = trimIt((String) map.get(CFG_KEY_DISCOVERY_ENDPOINT_URL));
        this.discoveryPollingRate = ((Long) map.get(CFG_KEY_DISCOVERY_POLLING_RATE)).longValue();
        this.discovery = false;
        this.discoveryjson = null;
        if (this.discoveryEndpointUrl != null) {
            this.discovery = handleDiscoveryEndpoint(this.discoveryEndpointUrl);
            if (this.discovery) {
                logDiscoveryWarning(map);
            } else {
                reConfigEndpointsAfterDiscoveryFailure();
            }
        } else {
            this.authorizationEndpointUrl = trimIt((String) map.get(CFG_KEY_AUTHORIZATION_ENDPOINT_URL));
            this.tokenEndpointUrl = trimIt((String) map.get(CFG_KEY_TOKEN_ENDPOINT_URL));
            this.userInfoEndpointUrl = trimIt((String) map.get(CFG_KEY_USERINFO_ENDPOINT_URL));
            this.jwkEndpointUrl = trimIt((String) map.get(CFG_KEY_JWK_ENDPOINT_URL));
            this.validationEndpointUrl = trimIt((String) map.get(CFG_KEY_VALIDATION_ENDPOINT_URL));
            this.issuerIdentifier = trimIt((String) map.get(CFG_KEY_ISSUER_IDENTIFIER));
        }
        this.initialStateCacheCapacity = ((Integer) map.get(CFG_KEY_INITIAL_STATE_CACHE_CAPACITY)).intValue();
        this.trustStoreRef = trimIt((String) map.get(CFG_KEY_TRUSTSTORE_REF));
        this.hostNameVerificationEnabled = ((Boolean) map.get(CFG_KEY_HOST_NAME_VERIFICATION_ENABLED)).booleanValue();
        this.includeIdTokenInSubject = ((Boolean) map.get(CFG_KEY_INCLUDE_ID_TOKEN_IN_SUBJECT)).booleanValue();
        this.includeCustomCacheKeyInSubject = ((Boolean) map.get(CFG_KEY_INCLUDE_CUSTOM_CACHE_KEY_IN_SUBJECT)).booleanValue();
        this.authenticationContextClassReferenceValue = trimIt((String) map.get(CFG_KEY_AUTH_CONTEXT_CLASS_REFERENCE));
        if (this.authenticationContextClassReferenceValue == null) {
            this.authenticationContextClassReferenceValue = BLANK;
        }
        this.authFilterRef = trimIt((String) map.get(CFG_KEY_AUTH_FILTER_REF));
        this.authFilterId = getAuthFilterId(this.authFilterRef);
        this.jsonWebKey = trimIt((String) map.get(CFG_KEY_JSON_WEB_KEY));
        this.jwkClientId = trimIt((String) map.get(CFG_KEY_JWK_CLIENT_ID));
        this.jwkClientSecret = processProtectedString(map, CFG_KEY_JWK_CLIENT_SECRET);
        this.jwkset = new JWKSet();
        this.prompt = trimIt((String) map.get(CFG_KEY_PROMPT));
        this.createSession = ((Boolean) map.get(CFG_KEY_CREATE_SESSION)).booleanValue();
        this.inboundPropagation = trimIt((String) map.get(CFG_KEY_INBOUND_PROPAGATION));
        this.audiences = trimIt((String[]) map.get(CFG_KEY_AUDIENCES));
        this.allAudiences = false;
        if (this.audiences != null) {
            int i = 0;
            while (true) {
                if (i >= this.audiences.length) {
                    break;
                }
                if ("ALL_AUDIENCES".equals(this.audiences[i])) {
                    this.allAudiences = true;
                    break;
                }
                i++;
            }
        }
        String trimIt = trimIt((String) map.get(CFG_KEY_jwt));
        if (trimIt != null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "jwt element exists", new Object[0]);
            }
            Configuration configuration = null;
            try {
                configuration = ((ConfigurationAdmin) this.configAdminRef.getService()).getConfiguration(trimIt, BLANK);
            } catch (IOException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.internal.OidcClientConfigImpl", "479", this, new Object[]{map});
            }
            if (configuration != null && configuration.getProperties() != null) {
                this.jwtRef = trimIt((String) configuration.getProperties().get(CFG_KEY_jwtRef));
                this.jwtClaims = trimIt((String[]) configuration.getProperties().get(CFG_KEY_jwtClaims));
            }
        }
        this.authzRequestParamMap = populateCustomRequestParameterMap(map, CFG_KEY_AUTHZ_PARAM);
        this.tokenRequestParamMap = populateCustomRequestParameterMap(map, CFG_KEY_TOKEN_PARAM);
        this.userinfoRequestParamMap = populateCustomRequestParameterMap(map, CFG_KEY_USERINFO_PARAM);
        this.jwkRequestParamMap = populateCustomRequestParameterMap(map, CFG_KEY_JWK_PARAM);
        this.resources = trimIt((String[]) map.get(CFG_KEY_RESOURCES));
        this.headerName = trimIt((String) map.get(CFG_KEY_HEADER_NAME));
        this.authnSessionDisabled = ((Boolean) map.get(CFG_KEY_propagation_authnSessionDisabled)).booleanValue();
        this.reAuthnOnAccessTokenExpire = ((Boolean) map.get(CFG_KEY_reAuthnOnAccessTokenExpire)).booleanValue();
        this.reAuthnCushionMilliseconds = ((Long) map.get(CFG_KEY_reAuthnCushionMilliseconds)).longValue();
        this.disableIssChecking = ((Boolean) map.get(CFG_KEY_DISABLE_ISS_CHECKING)).booleanValue();
        this.goodConfig = true;
        this.accessTokenInLtpaCookie = ((Boolean) map.get(CFG_KEY_accessTokenInLtpaCookie)).booleanValue();
        this.useAccessTokenAsIdToken = this.configUtils.getBooleanConfigAttribute(map, CFG_KEY_USE_ACCESS_TOKEN_AS_ID_TOKEN, this.useAccessTokenAsIdToken);
        this.tokenReuse = this.configUtils.getBooleanConfigAttribute(map, CFG_KEY_TOKEN_REUSE, this.tokenReuse);
        this.forwardLoginParameter = this.oidcConfigUtils.readAndSanitizeForwardLoginParameter(map, this.id, CFG_KEY_FORWARD_LOGIN_PARAMETER);
        if (this.discovery) {
            logDiscoveryMessage("OIDC_CLIENT_DISCOVERY_COMPLETE");
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "id: " + this.id, new Object[0]);
            Tr.debug(tc, "grantType: " + this.grantType, new Object[0]);
            Tr.debug(tc, "responseType:" + this.responseType, new Object[0]);
            Tr.debug(tc, "scope: " + this.scope, new Object[0]);
            Tr.debug(tc, "clientId: " + this.clientId, new Object[0]);
            Tr.debug(tc, "redirectToRPHostAndPort: " + this.redirectToRPHostAndPort, new Object[0]);
            Tr.debug(tc, "userIdentifier: " + this.userIdentifier, new Object[0]);
            Tr.debug(tc, "groupIdentifier: " + this.groupIdentifier, new Object[0]);
            Tr.debug(tc, "realmIdentifier: " + this.realmIdentifier, new Object[0]);
            Tr.debug(tc, "realmName: " + this.realmName, new Object[0]);
            Tr.debug(tc, "uniqueUserIdentifier: " + this.uniqueUserIdentifier, new Object[0]);
            Tr.debug(tc, "tokenEndpointAuthMethod: " + this.tokenEndpointAuthMethod, new Object[0]);
            Tr.debug(tc, "userIdentityToCreateSubject: " + this.userIdentityToCreateSubject, new Object[0]);
            Tr.debug(tc, "mapIdentityToRegistryUser: " + this.mapIdentityToRegistryUser, new Object[0]);
            Tr.debug(tc, "oidcclientRequestParameterSupported: " + this.oidcclientRequestParameterSupported, new Object[0]);
            Tr.debug(tc, "validateAccessTokenLocally: " + this.validateAccessTokenLocally, new Object[0]);
            Tr.debug(tc, "disableLtpaCookie:" + this.disableLtpaCookie, new Object[0]);
            Tr.debug(tc, "trustAliasName: " + this.trustAliasName, new Object[0]);
            Tr.debug(tc, "httpsRequired: " + this.httpsRequired, new Object[0]);
            Tr.debug(tc, "isClientSideRedirectSupported: " + this.clientSideRedirect, new Object[0]);
            Tr.debug(tc, "nonceEnabled: " + this.nonceEnabled, new Object[0]);
            Tr.debug(tc, "sslRef: " + this.sslRef, new Object[0]);
            Tr.debug(tc, "signatureAlgorithm: " + this.signatureAlgorithm, new Object[0]);
            Tr.debug(tc, "clockSkew: " + this.clockSkewInSeconds, new Object[0]);
            Tr.debug(tc, "discoveryEndpointUrl: " + this.discoveryEndpointUrl, new Object[0]);
            Tr.debug(tc, "discoveryPollingRate: " + this.discoveryPollingRate, new Object[0]);
            Tr.debug(tc, "authorizationEndpointUrl: " + this.authorizationEndpointUrl, new Object[0]);
            Tr.debug(tc, "tokenEndpointUrl: " + this.tokenEndpointUrl, new Object[0]);
            Tr.debug(tc, "userinfoEndpointUrl: " + this.userInfoEndpointUrl, new Object[0]);
            Tr.debug(tc, "userInfoEndpointEnabled: " + this.userInfoEndpointEnabled, new Object[0]);
            Tr.debug(tc, "validationEndpointUrl: " + this.validationEndpointUrl, new Object[0]);
            Tr.debug(tc, "initialStateCacheCapacity: " + this.initialStateCacheCapacity, new Object[0]);
            Tr.debug(tc, "issuerIdentifier: " + this.issuerIdentifier, new Object[0]);
            Tr.debug(tc, "trustStoreRef: " + this.trustStoreRef, new Object[0]);
            Tr.debug(tc, "hostNameVerificationEnabled: " + this.hostNameVerificationEnabled, new Object[0]);
            Tr.debug(tc, "includeIdTokenInSubject: " + this.includeIdTokenInSubject, new Object[0]);
            Tr.debug(tc, "includeCustomCacheKeyInSubject: " + this.includeCustomCacheKeyInSubject, new Object[0]);
            Tr.debug(tc, "authContextClassReference: " + this.authenticationContextClassReferenceValue, new Object[0]);
            Tr.debug(tc, "authFilterRef: " + this.authFilterRef, new Object[0]);
            Tr.debug(tc, "authFilterId: " + this.authFilterId, new Object[0]);
            Tr.debug(tc, "jsonWebKey: " + this.jsonWebKey, new Object[0]);
            Tr.debug(tc, "jwkEndpointUrl: " + this.jwkEndpointUrl, new Object[0]);
            Tr.debug(tc, "jwkClientIdentifier: " + this.jwkClientId, new Object[0]);
            Tr.debug(tc, "prompt: " + this.prompt, new Object[0]);
            Tr.debug(tc, "createSession: " + this.createSession, new Object[0]);
            Tr.debug(tc, "inboundPropagation: " + this.inboundPropagation, new Object[0]);
            Tr.debug(tc, "validationMethod: " + this.validationMethod, new Object[0]);
            Tr.debug(tc, "headerName: " + this.headerName, new Object[0]);
            Tr.debug(tc, "authnSessionDisabled:" + this.authnSessionDisabled, new Object[0]);
            Tr.debug(tc, "disableIssChecking:" + this.disableIssChecking, new Object[0]);
            Tr.debug(tc, "jwt builder:" + this.jwtRef, new Object[0]);
            Tr.debug(tc, "redirectJunctionPath:" + this.redirectJunctionPath, new Object[0]);
            Tr.debug(tc, "accessTokenInLtpaCookie:" + this.accessTokenInLtpaCookie, new Object[0]);
            Tr.debug(tc, "useAccessTokenAsIdToken:" + this.useAccessTokenAsIdToken, new Object[0]);
            Tr.debug(tc, "tokenReuse:" + this.tokenReuse, new Object[0]);
            Tr.debug(tc, "forwardLoginParameter:" + this.forwardLoginParameter, new Object[0]);
        }
    }

    private HashMap<String, String> populateCustomRequestParameterMap(Map<String, Object> map, String str) {
        HashMap<String, String> hashMap = new HashMap<>();
        String[] stringArrayConfigAttribute = this.configUtils.getStringArrayConfigAttribute(map, str);
        if (stringArrayConfigAttribute != null && stringArrayConfigAttribute.length > 0) {
            populateCustomRequestParameterMap(hashMap, stringArrayConfigAttribute);
        }
        return hashMap;
    }

    private void populateCustomRequestParameterMap(HashMap<String, String> hashMap, String[] strArr) {
        ConfigurationAdmin configurationAdmin = (ConfigurationAdmin) this.configAdminRef.getService();
        if (configurationAdmin == null) {
            return;
        }
        this.oidcConfigUtils.populateCustomRequestParameterMap(configurationAdmin, hashMap, strArr, CFG_KEY_PARAM_NAME, CFG_KEY_PARAM_VALUE);
    }

    private void validateAuthzTokenEndpoints() {
        if (this.tokenEndpointUrl == null) {
            logConfigError("CONFIG_REQUIRED_ATTRIBUTE_NULL", CFG_KEY_TOKEN_ENDPOINT_URL);
        }
        if (this.authorizationEndpointUrl != null || getGrantType() == "implicit") {
            return;
        }
        logConfigError("CONFIG_REQUIRED_ATTRIBUTE_NULL", CFG_KEY_AUTHORIZATION_ENDPOINT_URL);
    }

    private void logConfigError(String str, String str2) {
        Tr.error(tc, str, new Object[]{str2});
    }

    private void reConfigEndpointsAfterDiscoveryFailure() {
        this.authorizationEndpointUrl = null;
        this.tokenEndpointUrl = null;
        this.userInfoEndpointUrl = null;
        this.jwkEndpointUrl = null;
        this.validationEndpointUrl = null;
        this.issuerIdentifier = null;
        this.discoveryDocumentHash = null;
    }

    private void logDiscoveryMessage(String str) {
        Tr.info(tc, str, new Object[]{getId(), getDiscoveryEndpointUrl()});
    }

    public boolean getUseSystemPropertiesForHttpClientConnections() {
        return this.useSystemPropertiesForHttpClientConnections;
    }

    public boolean isDiscoveryInUse() {
        return isValidDiscoveryUrl(this.discoveryEndpointUrl);
    }

    private void logDiscoveryWarning(Map<String, Object> map) {
        String str = BLANK;
        if (trimIt((String) map.get(CFG_KEY_AUTHORIZATION_ENDPOINT_URL)) != null) {
            str = buildDiscoveryWarning(str, CFG_KEY_AUTHORIZATION_ENDPOINT_URL);
        }
        if (trimIt((String) map.get(CFG_KEY_TOKEN_ENDPOINT_URL)) != null) {
            str = buildDiscoveryWarning(str, CFG_KEY_TOKEN_ENDPOINT_URL);
        }
        if (trimIt((String) map.get(CFG_KEY_USERINFO_ENDPOINT_URL)) != null) {
            str = buildDiscoveryWarning(str, CFG_KEY_USERINFO_ENDPOINT_URL);
        }
        if (trimIt((String) map.get(CFG_KEY_JWK_ENDPOINT_URL)) != null) {
            str = buildDiscoveryWarning(str, CFG_KEY_JWK_ENDPOINT_URL);
        }
        if (trimIt((String) map.get(CFG_KEY_VALIDATION_ENDPOINT_URL)) != null) {
            str = buildDiscoveryWarning(str, CFG_KEY_VALIDATION_ENDPOINT_URL);
        }
        if (!str.isEmpty()) {
            logWarning("OIDC_CLIENT_DISCOVERY_OVERRIDE_EP", str);
        }
        if (trimIt((String) map.get(CFG_KEY_ISSUER_IDENTIFIER)) != null) {
            logWarning("OIDC_CLIENT_DISCOVERY_OVERRIDE_ISSUER", CFG_KEY_ISSUER_IDENTIFIER);
        }
    }

    private void logWarning(String str, String str2) {
        Tr.warning(tc, str, new Object[]{CFG_KEY_DISCOVERY_ENDPOINT_URL, str2, getId()});
    }

    private String buildDiscoveryWarning(String str, String str2) {
        return str.concat(str2).concat(", ");
    }

    void adjustScopes() {
        ArrayList<String> discoverOPConfig = discoverOPConfig(this.discoveryjson.get(OPDISCOVERY_SCOPES));
        if (!isRPUsingDefault(CFG_KEY_SCOPE) || opHasRPDefault(CFG_KEY_SCOPE, discoverOPConfig)) {
            return;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "See if we need to adjusted the scopes. The original is : " + this.scope, new Object[0]);
        }
        String rpSupportsOPConfig = rpSupportsOPConfig(CFG_KEY_SCOPE, discoverOPConfig);
        if (rpSupportsOPConfig != null) {
            Tr.info(tc, "OIDC_CLIENT_DISCOVERY_OVERRIDE_DEFAULT", new Object[]{this.scope, CFG_KEY_SCOPE, rpSupportsOPConfig, getId()});
            this.scope = rpSupportsOPConfig;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The adjusted value is : " + this.scope, new Object[0]);
            }
        }
    }

    void adjustTokenEndpointAuthMethod() {
        ArrayList<String> discoverOPConfig = discoverOPConfig(this.discoveryjson.get(OPDISCOVERY_TOKEN_EP_AUTH));
        if (!isRPUsingDefault("authMethod") || opHasRPDefault("authMethod", discoverOPConfig)) {
            return;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "See if we need to adjusted the token endpoint authmethod. The original is : " + this.tokenEndpointAuthMethod, new Object[0]);
        }
        String rpSupportsOPConfig = rpSupportsOPConfig("authMethod", discoverOPConfig);
        if (rpSupportsOPConfig != null) {
            Tr.info(tc, "OIDC_CLIENT_DISCOVERY_OVERRIDE_DEFAULT", new Object[]{this.tokenEndpointAuthMethod, CFG_KEY_TOKEN_ENDPOINT_AUTH_METHOD, rpSupportsOPConfig, getId()});
            this.tokenEndpointAuthMethod = rpSupportsOPConfig;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The adjusted value is : " + this.tokenEndpointAuthMethod, new Object[0]);
            }
        }
    }

    void adjustSignatureAlgorithm() {
        ArrayList<String> discoverOPConfig = discoverOPConfig(this.discoveryjson.get(OPDISCOVERY_IDTOKEN_SIGN_ALG));
        if (!isRPUsingDefault("alg") || opHasRPDefault("alg", discoverOPConfig)) {
            return;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "See if we need to Adjust the signature algorithm. The original value is : " + this.signatureAlgorithm, new Object[0]);
        }
        String rpSupportsOPConfig = rpSupportsOPConfig("alg", discoverOPConfig);
        if (rpSupportsOPConfig != null) {
            Tr.info(tc, "OIDC_CLIENT_DISCOVERY_OVERRIDE_DEFAULT", new Object[]{this.signatureAlgorithm, CFG_KEY_SIGNATURE_ALGORITHM, rpSupportsOPConfig, getId()});
            this.signatureAlgorithm = rpSupportsOPConfig;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The adjusted value is : " + this.signatureAlgorithm, new Object[0]);
            }
        }
    }

    private String rpSupportsOPConfig(String str, ArrayList<String> arrayList) {
        if ("alg".equals(str) && arrayList != null) {
            Iterator<String> it = arrayList.iterator();
            while (it.hasNext()) {
                String next = it.next();
                if ("HS256 RS256".contains(next)) {
                    return next;
                }
            }
        }
        if ("authMethod".equals(str) && arrayList != null) {
            Iterator<String> it2 = arrayList.iterator();
            while (it2.hasNext()) {
                String matchingRPValue = matchingRPValue(it2.next());
                if ("post basic".contains(matchingRPValue)) {
                    return matchingRPValue;
                }
            }
        }
        if (!CFG_KEY_SCOPE.equals(str) || arrayList == null) {
            return null;
        }
        String str2 = null;
        Iterator<String> it3 = arrayList.iterator();
        while (it3.hasNext()) {
            String next2 = it3.next();
            if ("openid profile".contains(next2)) {
                str2 = str2 == null ? next2 : str2 + " " + next2;
            }
        }
        return str2;
    }

    private String matchingRPValue(String str) {
        return "client_secret_post".equals(str) ? "post" : "client_secret_basic".equals(str) ? "basic" : str;
    }

    private boolean opHasRPDefault(String str, ArrayList<String> arrayList) {
        return "authMethod".equals(str) ? matches("client_secret_post", arrayList) : "alg".equals(str) ? matches("HS256", arrayList) : CFG_KEY_SCOPE.equals(str) && matches("openid", arrayList) && matches("profile", arrayList);
    }

    private boolean matches(String str, ArrayList<String> arrayList) {
        Iterator<String> it = arrayList.iterator();
        while (it.hasNext()) {
            if (str.equals(it.next())) {
                return true;
            }
        }
        return false;
    }

    private boolean matches(String str, String str2) {
        return str2.equals(str);
    }

    private boolean isRPUsingDefault(String str) {
        if ("authMethod".equals(str)) {
            return matches("post", this.tokenEndpointAuthMethod);
        }
        if ("alg".equals(str)) {
            return matches("HS256", this.signatureAlgorithm);
        }
        if (CFG_KEY_SCOPE.equals(str)) {
            return matchesMultipleValues("openid profile", this.scope);
        }
        return false;
    }

    private boolean matchesMultipleValues(String str, String str2) {
        String[] split = str2.split(" ");
        if (split.length != 2) {
            return false;
        }
        for (String str3 : split) {
            if (!str.contains(str3)) {
                return false;
            }
        }
        return true;
    }

    @FFDCIgnore({SSLException.class})
    public boolean handleDiscoveryEndpoint(String str) {
        boolean z = false;
        if (!isValidDiscoveryUrl(str)) {
            Tr.error(tc, "OIDC_CLIENT_DISCOVERY_SSL_ERROR", new Object[]{getId(), str});
            return false;
        }
        try {
            setNextDiscoveryTime();
            String hTTPRequestAsString = getHTTPRequestAsString(createHTTPClient(getSSLSocketFactory(str, this.sslConfigurationName, (SSLSupport) this.sslSupportRef.getService()), str, this.hostNameVerificationEnabled), str);
            if (hTTPRequestAsString != null) {
                parseJsonResponse(hTTPRequestAsString);
                if (this.discoveryjson != null) {
                    z = discoverEndpointUrls(this.discoveryjson);
                }
            }
        } catch (SSLException e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Fail to get successful discovery response : ", new Object[]{e.getCause()});
            }
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.openidconnect.client.internal.OidcClientConfigImpl", "891", this, new Object[]{str});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Fail to get successful discovery response : ", new Object[]{e2.getCause()});
            }
        }
        if (!z) {
            Tr.error(tc, "OIDC_CLIENT_DISCOVERY_SSL_ERROR", new Object[]{getId(), str});
        }
        return z;
    }

    private boolean isValidDiscoveryUrl(String str) {
        return str != null && str.startsWith("https");
    }

    boolean discoverEndpointUrls(JSONObject jSONObject) {
        if (!calculateDiscoveryDocumentHash(jSONObject)) {
            return true;
        }
        this.authorizationEndpointUrl = discoverOPConfigSingleValue(jSONObject.get(OPDISCOVERY_AUTHZ_EP_URL));
        this.tokenEndpointUrl = discoverOPConfigSingleValue(jSONObject.get(OPDISCOVERY_TOKEN_EP_URL));
        this.jwkEndpointUrl = discoverOPConfigSingleValue(jSONObject.get(OPDISCOVERY_JWKS_EP_URL));
        this.userInfoEndpointUrl = discoverOPConfigSingleValue(jSONObject.get(OPDISCOVERY_USERINFO_EP_URL));
        this.issuerIdentifier = discoverOPConfigSingleValue(jSONObject.get(OPDISCOVERY_ISSUER));
        handleValidationEndpoint(jSONObject);
        if (invalidEndpoints() || invalidIssuer()) {
            return false;
        }
        adjustSignatureAlgorithm();
        adjustTokenEndpointAuthMethod();
        adjustScopes();
        return true;
    }

    public void setNextDiscoveryTime() {
        this.nextDiscoveryTime = System.currentTimeMillis() + this.discoveryPollingRate;
    }

    public long getNextDiscoveryTime() {
        return this.nextDiscoveryTime;
    }

    private boolean calculateDiscoveryDocumentHash(JSONObject jSONObject) {
        String digest = HashUtils.digest(jSONObject.toString());
        boolean z = false;
        if (this.discoveryDocumentHash == null || !this.discoveryDocumentHash.equals(digest)) {
            if (this.discoveryDocumentHash != null) {
                logDiscoveryMessage("OIDC_CLIENT_DISCOVERY_UPDATED_CONFIG");
            }
            z = true;
            this.discoveryDocumentHash = digest;
        } else {
            logDiscoveryMessage("OIDC_CLIENT_DISCOVERY_NOT_UPDATED_CONFIG");
        }
        return z;
    }

    public String getDiscoveryDocumentHash() {
        return this.discoveryDocumentHash;
    }

    private String discoverOPConfigSingleValue(Object obj) {
        if (obj != null) {
            return jsonValue(obj).get(0);
        }
        return null;
    }

    private ArrayList<String> discoverOPConfig(Object obj) {
        return jsonValue(obj);
    }

    private ArrayList<String> jsonValue(Object obj) {
        ArrayList<String> arrayList = new ArrayList<>();
        if (obj == null) {
            return null;
        }
        if (obj instanceof String) {
            arrayList.add(0, (String) obj);
            return arrayList;
        }
        if (obj instanceof JSONArray) {
            return parseJsonArray((JSONArray) obj);
        }
        return null;
    }

    private ArrayList<String> parseJsonArray(JSONArray jSONArray) {
        ArrayList<String> arrayList = new ArrayList<>();
        int i = 0;
        if (jSONArray != null) {
            Iterator it = jSONArray.iterator();
            while (it.hasNext()) {
                Object next = it.next();
                if (next instanceof String) {
                    arrayList.add(i, (String) next);
                    i++;
                }
            }
        }
        return arrayList;
    }

    private boolean invalidIssuer() {
        return this.issuerIdentifier == null;
    }

    private boolean invalidEndpoints() {
        return this.authorizationEndpointUrl == null && this.tokenEndpointUrl == null;
    }

    private void handleValidationEndpoint(JSONObject jSONObject) {
        if (isIntrospectionValidation()) {
            this.validationEndpointUrl = discoverOPConfigSingleValue(jSONObject.get(OPDISCOVERY_INTROSPECTION_EP_URL));
        } else {
            this.validationEndpointUrl = discoverOPConfigSingleValue(jSONObject.get(OPDISCOVERY_USERINFO_EP_URL));
        }
    }

    private boolean isIntrospectionValidation() {
        return "introspect".equals(this.validationMethod);
    }

    protected void parseJsonResponse(String str) {
        try {
            this.discoveryjson = JSONObject.parse(str);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.internal.OidcClientConfigImpl", "1079", this, new Object[]{str});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught exception parsing JSON string [" + str + "]: " + e.getMessage(), new Object[0]);
            }
        }
    }

    @FFDCIgnore({Exception.class})
    protected String getHTTPRequestAsString(HttpClient httpClient, String str) throws Exception {
        try {
            HttpGet httpGet = new HttpGet(str);
            httpGet.addHeader("content-type", "application/json");
            try {
                HttpResponse execute = httpClient.execute(httpGet);
                StatusLine statusLine = execute.getStatusLine();
                int statusCode = statusLine.getStatusCode();
                if (statusCode != 200) {
                    String reasonPhrase = statusLine.getReasonPhrase();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "status:" + statusCode + " errorMsg:" + reasonPhrase, new Object[0]);
                    }
                    throw new Exception(logErrorMessage(str, statusCode, reasonPhrase));
                }
                String entityUtils = EntityUtils.toString(execute.getEntity(), "UTF-8");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Response: ", new Object[]{entityUtils});
                }
                if (entityUtils == null || entityUtils.isEmpty()) {
                    throw new Exception(logErrorMessage(str, statusCode, entityUtils));
                }
                return entityUtils;
            } catch (IOException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.internal.OidcClientConfigImpl", "1096", this, new Object[]{httpClient, str});
                logErrorMessage(str, 0, "IOException: " + e.getMessage() + " " + e.getCause());
                throw e;
            }
        } catch (Exception e2) {
            throw e2;
        }
    }

    private String logErrorMessage(String str, int i, String str2) {
        String formattedMessage = TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.openidconnect.client.internal.resources.OidcClientMessages", "OIDC_CLIENT_DISC_RESPONSE_ERROR", new Object[]{str, Integer.valueOf(i), str2}, "Error processing discovery request");
        Tr.error(tc, formattedMessage, new Object[0]);
        return formattedMessage;
    }

    public HttpClient createHTTPClient(SSLSocketFactory sSLSocketFactory, String str, boolean z) {
        BasicCredentialsProvider basicCredentialsProvider = null;
        if (0 != 0) {
            basicCredentialsProvider = createCredentialsProvider();
        }
        return createHttpClient(str.startsWith("https:"), z, sSLSocketFactory, false, basicCredentialsProvider);
    }

    private HttpClient createHttpClient(boolean z, boolean z2, SSLSocketFactory sSLSocketFactory, boolean z3, BasicCredentialsProvider basicCredentialsProvider) {
        CloseableHttpClient build;
        if (z) {
            SSLConnectionSocketFactory sSLConnectionSocketFactory = !z2 ? new SSLConnectionSocketFactory(sSLSocketFactory, new AllowAllHostnameVerifier()) : new SSLConnectionSocketFactory(sSLSocketFactory, new StrictHostnameVerifier());
            build = z3 ? HttpClientBuilder.create().setDefaultCredentialsProvider(basicCredentialsProvider).setSSLSocketFactory(sSLConnectionSocketFactory).build() : HttpClientBuilder.create().setSSLSocketFactory(sSLConnectionSocketFactory).build();
        } else {
            build = z3 ? HttpClientBuilder.create().setDefaultCredentialsProvider(basicCredentialsProvider).build() : HttpClientBuilder.create().build();
        }
        return build;
    }

    private BasicCredentialsProvider createCredentialsProvider() {
        BasicCredentialsProvider basicCredentialsProvider = new BasicCredentialsProvider();
        basicCredentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(this.jwkClientId, this.jwkClientSecret));
        return basicCredentialsProvider;
    }

    @FFDCIgnore({javax.net.ssl.SSLException.class})
    protected SSLSocketFactory getSSLSocketFactory(String str, String str2, SSLSupport sSLSupport) throws SSLException {
        SSLSocketFactory sSLSocketFactory = null;
        if (sSLSupport != null) {
            try {
                sSLSocketFactory = sSLSupport.getSSLSocketFactory(str2);
            } catch (javax.net.ssl.SSLException e) {
                throw new SSLException(e.getMessage());
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "sslSocketFactory () get: " + sSLSocketFactory, new Object[0]);
        }
        if (sSLSocketFactory == null) {
            throw new SSLException(Tr.formatMessage(tc, "OIDC_CLIENT_HTTPS_WITH_SSLCONTEXT_NULL", new Object[]{"Null ssl socket factory", getId()}));
        }
        return sSLSocketFactory;
    }

    private void checkForValidValue(String str) {
        if (str == null || str.isEmpty()) {
            this.userIdentityToCreateSubject = "sub";
        }
    }

    private void checkValidationEndpointUrl() {
        if (this.validationEndpointUrl == null || !this.validationEndpointUrl.startsWith("http") || this.validationEndpointUrl.indexOf("/") < 0) {
            if ("required".equalsIgnoreCase(this.inboundPropagation)) {
                this.goodConfig = false;
                Tr.error(tc, "BAD_INBOUND_PRPAGATION_REQUIRED", new Object[]{getId(), this.validationEndpointUrl});
            } else if ("supported".equalsIgnoreCase(this.inboundPropagation)) {
                this.inboundPropagation = "none";
                Tr.warning(tc, "BAD_INBOUND_PRPAGATION_SUPPORTED", new Object[]{this.validationEndpointUrl, getId()});
            }
        }
    }

    @Sensitive
    private String processProtectedString(Map<String, Object> map, String str) {
        Object obj = map.get(str);
        return PasswordUtil.passwordDecode(obj != null ? obj instanceof SerializableProtectedString ? new String(((SerializableProtectedString) obj).getChars()) : (String) obj : null);
    }

    public synchronized String getId() {
        return this.id;
    }

    public String getGrantType() {
        return this.grantType;
    }

    public String getScope() {
        return this.scope;
    }

    public String getClientId() {
        return this.clientId;
    }

    @Sensitive
    public String getClientSecret() {
        return this.clientSecret;
    }

    public String getRedirectUrlFromServerToClient() {
        return new OIDCClientAuthenticatorUtil().getRedirectUrlFromServerToClient(getId(), getContextPath(), this.redirectToRPHostAndPort);
    }

    public String getRedirectUrlWithJunctionPath(String str) {
        if (this.redirectJunctionPath != null && this.redirectJunctionPath.length() > 0 && str != null && str.length() > 0) {
            int indexOf = str.indexOf("/", str.indexOf("//") + 2);
            str = str.substring(0, indexOf) + this.redirectJunctionPath + str.substring(indexOf);
        }
        return str;
    }

    public String getGroupIdentifier() {
        return this.groupIdentifier;
    }

    public String getRealmIdentifier() {
        return this.realmIdentifier;
    }

    public String getRealmName() {
        return this.realmName;
    }

    public String getUniqueUserIdentifier() {
        return this.uniqueUserIdentifier;
    }

    public String getTokenEndpointAuthMethod() {
        return this.tokenEndpointAuthMethod;
    }

    public String getUserIdentityToCreateSubject() {
        return this.userIdentityToCreateSubject;
    }

    public boolean isMapIdentityToRegistryUser() {
        return this.mapIdentityToRegistryUser;
    }

    public boolean isValidateAccessTokenLocally() {
        return this.validateAccessTokenLocally;
    }

    @Sensitive
    public String getSharedKey() {
        return this.sharedKey != null ? this.sharedKey : this.clientSecret;
    }

    public String getTrustAliasName() {
        return this.trustAliasName;
    }

    public boolean isHttpsRequired() {
        return this.httpsRequired;
    }

    public boolean isClientSideRedirect() {
        return this.clientSideRedirect;
    }

    public boolean isNonceEnabled() {
        return this.nonceEnabled;
    }

    public String getSslRef() {
        return this.sslRef;
    }

    public String getSSLConfigurationName() {
        return this.sslConfigurationName;
    }

    public String getSignatureAlgorithm() {
        return this.signatureAlgorithm;
    }

    public long getClockSkewInSeconds() {
        return this.clockSkewInSeconds;
    }

    public long getAuthenticationTimeLimitInSeconds() {
        return this.authenticationTimeLimitInSeconds;
    }

    public String getAuthorizationEndpointUrl() {
        return this.authorizationEndpointUrl;
    }

    public String getTokenEndpointUrl() {
        return this.tokenEndpointUrl;
    }

    public String getValidationEndpointUrl() {
        return this.validationEndpointUrl;
    }

    public int getInitialStateCacheCapacity() {
        return this.initialStateCacheCapacity;
    }

    public String getIssuerIdentifier() {
        return this.issuerIdentifier;
    }

    public String getTrustStoreRef() {
        return this.trustStoreRef;
    }

    /* renamed from: getPublicKey, reason: merged with bridge method [inline-methods] */
    public PublicKey m11getPublicKey() throws KeyStoreException, CertificateException {
        return ((KeyStoreService) this.keyStoreServiceRef.getService()).getCertificateFromKeyStore(this.trustStoreRef, this.trustAliasName).getPublicKey();
    }

    public boolean isHostNameVerificationEnabled() {
        return this.hostNameVerificationEnabled;
    }

    public boolean isIncludeIdTokenInSubject() {
        return this.includeIdTokenInSubject;
    }

    public boolean isIncludeCustomCacheKeyInSubject() {
        return this.includeCustomCacheKeyInSubject;
    }

    public String getAuthContextClassReference() {
        return this.authenticationContextClassReferenceValue;
    }

    public String getAuthFilterId() {
        return this.authFilterId;
    }

    private String getAuthFilterId(String str) {
        Dictionary properties;
        if (str == null || str.isEmpty()) {
            return null;
        }
        Configuration configuration = null;
        ConfigurationAdmin configurationAdmin = (ConfigurationAdmin) this.configAdminRef.getService();
        if (configurationAdmin != null) {
            try {
                configuration = configurationAdmin.getConfiguration(str, (String) null);
            } catch (IOException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.internal.OidcClientConfigImpl", "1563", this, new Object[]{str});
                if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                    return null;
                }
                Tr.debug(tc, "Invalid authFilterRef configuration", new Object[]{e.getMessage()});
                return null;
            }
        }
        if (configuration == null || (properties = configuration.getProperties()) == null) {
            return null;
        }
        return (String) properties.get("id");
    }

    public String getJwkEndpointUrl() {
        return this.jwkEndpointUrl;
    }

    public JWKSet getJwkSet() {
        return this.jwkset;
    }

    public String getJsonWebKey() {
        return this.jsonWebKey;
    }

    public String getPrompt() {
        return this.prompt;
    }

    public boolean createSession() {
        return this.createSession;
    }

    public String getInboundPropagation() {
        return this.inboundPropagation;
    }

    public String getValidationMethod() {
        return this.validationMethod;
    }

    public String getHeaderName() {
        return this.headerName;
    }

    public String getUserIdentifier() {
        return this.userIdentifier;
    }

    public boolean isDisableLtpaCookie() {
        return this.disableLtpaCookie;
    }

    public String getOidcClientCookieName() {
        String str;
        WsLocationAdmin wsLocationAdmin = (WsLocationAdmin) locationAdminRef.getService();
        if (this.oidcClientCookieName == null || this.oidcClientCookieName.isEmpty()) {
            if (wsLocationAdmin != null) {
                String replace = wsLocationAdmin.resolveString("${wlp.user.dir}").replace('\\', '/');
                str = FileInfo.getHostName() + "_" + replace + (replace.endsWith("/") ? BLANK : "/") + "servers/" + wsLocationAdmin.getServerName() + "/oidcclient/" + getId();
            } else {
                Tr.error(tc, "OSGI_SERVICE_ERROR", new Object[]{"WsLocationAdmin"});
                str = this.clientId;
            }
            this.oidcClientCookieName = "WASOidcClient_" + hash(str);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "cookieHashName: " + this.oidcClientCookieName + " cookieLongName: " + str, new Object[0]);
            }
        }
        return this.oidcClientCookieName;
    }

    public static String hash(String str) {
        int hashCode = str.hashCode();
        if (hashCode >= 0) {
            return "p" + hashCode;
        }
        return "n" + (hashCode * (-1));
    }

    public boolean isAuthnSessionDisabled_propagation() {
        return this.authnSessionDisabled;
    }

    public boolean isValidConfig() {
        return this.goodConfig;
    }

    public boolean isReAuthnOnAccessTokenExpire() {
        return this.reAuthnOnAccessTokenExpire;
    }

    public long getReAuthnCushion() {
        return this.reAuthnCushionMilliseconds;
    }

    public boolean disableIssChecking() {
        return this.disableIssChecking;
    }

    String trimIt(String str) {
        if (str == null) {
            return null;
        }
        String trim = str.trim();
        if (trim.isEmpty()) {
            return null;
        }
        return trim;
    }

    String[] trimIt(String[] strArr) {
        if (strArr == null || strArr.length == 0) {
            return null;
        }
        String[] strArr2 = new String[strArr.length];
        int i = 0;
        for (String str : strArr) {
            String trimIt = trimIt(str);
            if (trimIt != null) {
                int i2 = i;
                i++;
                strArr2[i2] = trimIt;
            }
        }
        if (i == strArr.length) {
            return strArr2;
        }
        if (i <= 0) {
            return null;
        }
        String[] strArr3 = new String[i];
        System.arraycopy(strArr2, 0, strArr3, 0, i);
        return strArr3;
    }

    public List<String> getAudiences() {
        if (this.audiences == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        for (String str : this.audiences) {
            arrayList.add(str);
        }
        return arrayList;
    }

    public boolean allowedAllAudiences() {
        return this.allAudiences;
    }

    public String[] getResources() {
        if (this.resources != null) {
            return (String[]) this.resources.clone();
        }
        return null;
    }

    public String getResponseType() {
        return this.responseType;
    }

    public boolean isOidcclientRequestParameterSupported() {
        return this.oidcclientRequestParameterSupported;
    }

    public String getContextPath() {
        return contextPath;
    }

    public static void setContextPath(String str) {
        contextPath = str;
    }

    public String jwtRef() {
        return this.jwtRef;
    }

    public String[] getJwtClaims() {
        if (this.jwtClaims != null) {
            return (String[]) this.jwtClaims.clone();
        }
        return null;
    }

    public String getJwkClientId() {
        return this.jwkClientId;
    }

    @Sensitive
    public String getJwkClientSecret() {
        return this.jwkClientSecret;
    }

    public boolean getAccessTokenInLtpaCookie() {
        return this.accessTokenInLtpaCookie;
    }

    public boolean getTokenReuse() {
        return this.tokenReuse;
    }

    public boolean getUseAccessTokenAsIdToken() {
        return this.useAccessTokenAsIdToken;
    }

    public List<String> getForwardLoginParameter() {
        if (this.forwardLoginParameter != null) {
            return new ArrayList(this.forwardLoginParameter);
        }
        return null;
    }

    public boolean isSocial() {
        return false;
    }

    public OidcClientConfig getOidcClientConfig() {
        return this;
    }

    public String toString() {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("{");
        stringBuffer.append("Id: " + this.id);
        stringBuffer.append(" clientId: " + this.clientId);
        stringBuffer.append(" grantType: " + this.grantType);
        stringBuffer.append(" responseType: " + this.responseType);
        stringBuffer.append(" scope: " + this.scope);
        stringBuffer.append(" redirectToRPHostAndPort: " + this.redirectToRPHostAndPort);
        stringBuffer.append(" issuerIdentifier: " + this.issuerIdentifier);
        stringBuffer.append(" tokenEndpointUrl: " + this.tokenEndpointUrl);
        stringBuffer.append(" userInfoEndpointUrl: " + this.userInfoEndpointUrl);
        stringBuffer.append("}");
        return stringBuffer.toString();
    }

    public boolean isUserInfoEnabled() {
        return this.userInfoEndpointEnabled;
    }

    public String getUserInfoEndpointUrl() {
        return this.userInfoEndpointUrl;
    }

    public String getDiscoveryEndpointUrl() {
        return this.discoveryEndpointUrl;
    }

    public HashMap<String, String> getAuthzRequestParams() {
        return this.authzRequestParamMap;
    }

    public HashMap<String, String> getTokenRequestParams() {
        return this.tokenRequestParamMap;
    }

    public HashMap<String, String> getUserinfoRequestParams() {
        return this.userinfoRequestParamMap;
    }

    public HashMap<String, String> getJwkRequestParams() {
        return this.jwkRequestParamMap;
    }
}
