package org.keycloak.authentication.authenticators.browser;

import java.net.URI;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.jboss.logging.Logger;
import org.keycloak.OAuth2Constants;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.authentication.Authenticator;
import org.keycloak.constants.AdapterConstants;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.ClientSessionCode;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-11.0.2.jar:org/keycloak/authentication/authenticators/browser/IdentityProviderAuthenticator.class */
public class IdentityProviderAuthenticator implements Authenticator {
    private static final Logger LOG = Logger.getLogger((Class<?>) IdentityProviderAuthenticator.class);
    protected static final String ACCEPTS_PROMPT_NONE = "acceptsPromptNoneForwardFromClient";

    @Override // org.keycloak.authentication.Authenticator
    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        if (authenticationFlowContext.getUriInfo().getQueryParameters().containsKey(AdapterConstants.KC_IDP_HINT)) {
            String first = authenticationFlowContext.getUriInfo().getQueryParameters().getFirst(AdapterConstants.KC_IDP_HINT);
            if (first == null || first.equals("")) {
                LOG.tracef("Skipping: kc_idp_hint query parameter is empty", new Object[0]);
                authenticationFlowContext.attempted();
                return;
            } else {
                LOG.tracef("Redirecting: %s set to %s", AdapterConstants.KC_IDP_HINT, first);
                redirect(authenticationFlowContext, first);
                return;
            }
        }
        if (authenticationFlowContext.getAuthenticatorConfig() == null || !authenticationFlowContext.getAuthenticatorConfig().getConfig().containsKey("defaultProvider")) {
            LOG.tracef("No default provider set or %s query parameter provided", AdapterConstants.KC_IDP_HINT);
            authenticationFlowContext.attempted();
        } else {
            String str = authenticationFlowContext.getAuthenticatorConfig().getConfig().get("defaultProvider");
            LOG.tracef("Redirecting: default provider set to %s", str);
            redirect(authenticationFlowContext, str);
        }
    }

    private void redirect(AuthenticationFlowContext authenticationFlowContext, String str) {
        for (IdentityProviderModel identityProviderModel : authenticationFlowContext.getRealm().getIdentityProviders()) {
            if (identityProviderModel.isEnabled() && str.equals(identityProviderModel.getAlias())) {
                URI identityProviderAuthnRequest = Urls.identityProviderAuthnRequest(authenticationFlowContext.getUriInfo().getBaseUri(), str, authenticationFlowContext.getRealm().getName(), new ClientSessionCode(authenticationFlowContext.getSession(), authenticationFlowContext.getRealm(), authenticationFlowContext.getAuthenticationSession()).getOrGenerateCode(), authenticationFlowContext.getAuthenticationSession().getClient().getClientId(), authenticationFlowContext.getAuthenticationSession().getTabId());
                if (authenticationFlowContext.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY) != null) {
                    identityProviderAuthnRequest = UriBuilder.fromUri(identityProviderAuthnRequest).queryParam(OAuth2Constants.DISPLAY, authenticationFlowContext.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY)).build(new Object[0]);
                }
                Response build = Response.seeOther(identityProviderAuthnRequest).build();
                if ("none".equals(authenticationFlowContext.getAuthenticationSession().getClientNote("prompt")) && Boolean.valueOf(identityProviderModel.getConfig().get(ACCEPTS_PROMPT_NONE)).booleanValue()) {
                    authenticationFlowContext.getAuthenticationSession().setAuthNote(AuthenticationProcessor.FORWARDED_PASSIVE_LOGIN, "true");
                }
                LOG.debugf("Redirecting to %s", str);
                authenticationFlowContext.forceChallenge(build);
                return;
            }
        }
        LOG.warnf("Provider not found or not enabled for realm %s", str);
        authenticationFlowContext.attempted();
    }

    @Override // org.keycloak.authentication.Authenticator
    public void action(AuthenticationFlowContext authenticationFlowContext) {
    }

    @Override // org.keycloak.authentication.Authenticator
    public boolean requiresUser() {
        return false;
    }

    @Override // org.keycloak.authentication.Authenticator
    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return true;
    }

    @Override // org.keycloak.authentication.Authenticator
    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
    }

    @Override // org.keycloak.provider.Provider
    public void close() {
    }
}
