package org.xdi.oxauth.userinfo.ws.rs;

import java.io.UnsupportedEncodingException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.CacheControl;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.lang.StringUtils;
import org.codehaus.jettison.json.JSONArray;
import org.codehaus.jettison.json.JSONObject;
import org.gluu.site.ldap.persistence.exception.EntryPersistenceException;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.log.Log;
import org.xdi.model.GluuAttribute;
import org.xdi.oxauth.audit.ApplicationAuditLogger;
import org.xdi.oxauth.model.audit.Action;
import org.xdi.oxauth.model.audit.OAuth2AuditLog;
import org.xdi.oxauth.model.authorize.Claim;
import org.xdi.oxauth.model.common.AuthorizationGrant;
import org.xdi.oxauth.model.common.AuthorizationGrantList;
import org.xdi.oxauth.model.common.AuthorizationGrantType;
import org.xdi.oxauth.model.common.DefaultScope;
import org.xdi.oxauth.model.common.Scope;
import org.xdi.oxauth.model.common.ScopeType;
import org.xdi.oxauth.model.common.SubjectType;
import org.xdi.oxauth.model.common.UnmodifiableAuthorizationGrant;
import org.xdi.oxauth.model.common.User;
import org.xdi.oxauth.model.configuration.AppConfiguration;
import org.xdi.oxauth.model.crypto.AbstractCryptoProvider;
import org.xdi.oxauth.model.crypto.CryptoProviderFactory;
import org.xdi.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm;
import org.xdi.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm;
import org.xdi.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.exception.InvalidClaimException;
import org.xdi.oxauth.model.exception.InvalidJweException;
import org.xdi.oxauth.model.exception.InvalidJwtException;
import org.xdi.oxauth.model.jwe.Jwe;
import org.xdi.oxauth.model.jwe.JweEncrypterImpl;
import org.xdi.oxauth.model.jwk.JSONWebKeySet;
import org.xdi.oxauth.model.jwt.Jwt;
import org.xdi.oxauth.model.jwt.JwtSubClaimObject;
import org.xdi.oxauth.model.jwt.JwtType;
import org.xdi.oxauth.model.ldap.PairwiseIdentifier;
import org.xdi.oxauth.model.token.JsonWebResponse;
import org.xdi.oxauth.model.userinfo.UserInfoErrorResponseType;
import org.xdi.oxauth.model.userinfo.UserInfoParamsValidator;
import org.xdi.oxauth.model.util.JwtUtil;
import org.xdi.oxauth.service.AttributeService;
import org.xdi.oxauth.service.PairwiseIdentifierService;
import org.xdi.oxauth.service.ScopeService;
import org.xdi.oxauth.service.UserService;
import org.xdi.oxauth.service.external.ExternalDynamicScopeService;
import org.xdi.oxauth.service.external.context.DynamicScopeExternalContext;
import org.xdi.oxauth.util.ServerUtil;
import org.xdi.util.security.StringEncrypter;

@Name("requestUserInfoRestWebService")
/* loaded from: input_file:org/xdi/oxauth/userinfo/ws/rs/UserInfoRestWebServiceImpl.class */
public class UserInfoRestWebServiceImpl implements UserInfoRestWebService {

    @Logger
    private Log log;

    @In
    private ApplicationAuditLogger applicationAuditLogger;

    @In
    private ErrorResponseFactory errorResponseFactory;

    @In
    private AuthorizationGrantList authorizationGrantList;

    @In
    private ScopeService scopeService;

    @In
    private AttributeService attributeService;

    @In
    private UserService userService;

    @In
    private ExternalDynamicScopeService externalDynamicScopeService;

    @In
    private PairwiseIdentifierService pairwiseIdentifierService;

    @In
    private AppConfiguration appConfiguration;

    @In
    private JSONWebKeySet webKeysConfiguration;

    @Override // org.xdi.oxauth.userinfo.ws.rs.UserInfoRestWebService
    public Response requestUserInfoGet(String str, String str2, HttpServletRequest httpServletRequest, SecurityContext securityContext) {
        return requestUserInfo(str, str2, httpServletRequest, securityContext);
    }

    @Override // org.xdi.oxauth.userinfo.ws.rs.UserInfoRestWebService
    public Response requestUserInfoPost(String str, String str2, HttpServletRequest httpServletRequest, SecurityContext securityContext) {
        return requestUserInfo(str, str2, httpServletRequest, securityContext);
    }

    public Response requestUserInfo(String str, String str2, HttpServletRequest httpServletRequest, SecurityContext securityContext) {
        if (str2 != null && !str2.isEmpty() && str2.startsWith("Bearer ")) {
            str = str2.substring(7);
        }
        this.log.debug("Attempting to request User Info, Access token = {0}, Is Secure = {1}", new Object[]{str, Boolean.valueOf(securityContext.isSecure())});
        Response.ResponseBuilder ok = Response.ok();
        OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpServletRequest), Action.USER_INFO);
        try {
            if (UserInfoParamsValidator.validateParams(str)) {
                AuthorizationGrant authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(str);
                if (authorizationGrantByAccessToken == null) {
                    ok = Response.status(400);
                    ok.entity(this.errorResponseFactory.getErrorAsJson(UserInfoErrorResponseType.INVALID_TOKEN));
                } else if (authorizationGrantByAccessToken.getAuthorizationGrantType() == AuthorizationGrantType.CLIENT_CREDENTIALS) {
                    ok = Response.status(403);
                    ok.entity(this.errorResponseFactory.getErrorAsJson(UserInfoErrorResponseType.INSUFFICIENT_SCOPE));
                } else if (authorizationGrantByAccessToken.getScopes().contains(DefaultScope.OPEN_ID.toString()) || authorizationGrantByAccessToken.getScopes().contains(DefaultScope.PROFILE.toString())) {
                    oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrantByAccessToken, true);
                    CacheControl cacheControl = new CacheControl();
                    cacheControl.setPrivate(true);
                    cacheControl.setNoTransform(false);
                    cacheControl.setNoStore(true);
                    ok.cacheControl(cacheControl);
                    ok.header("Pragma", "no-cache");
                    User user = authorizationGrantByAccessToken.getUser();
                    try {
                        user = this.userService.getUserByDn(authorizationGrantByAccessToken.getUserDn(), new String[0]);
                    } catch (EntryPersistenceException e) {
                        this.log.warn("Failed to reload user entry: '{0}'", new Object[]{authorizationGrantByAccessToken.getUserDn()});
                    }
                    if (authorizationGrantByAccessToken.getClient() != null && authorizationGrantByAccessToken.getClient().getUserInfoEncryptedResponseAlg() != null && authorizationGrantByAccessToken.getClient().getUserInfoEncryptedResponseEnc() != null) {
                        KeyEncryptionAlgorithm fromName = KeyEncryptionAlgorithm.fromName(authorizationGrantByAccessToken.getClient().getUserInfoEncryptedResponseAlg());
                        BlockEncryptionAlgorithm fromName2 = BlockEncryptionAlgorithm.fromName(authorizationGrantByAccessToken.getClient().getUserInfoEncryptedResponseEnc());
                        ok.type("application/jwt");
                        ok.entity(getJweResponse(fromName, fromName2, user, authorizationGrantByAccessToken, authorizationGrantByAccessToken.getScopes()));
                    } else if (authorizationGrantByAccessToken.getClient() == null || authorizationGrantByAccessToken.getClient().getUserInfoSignedResponseAlg() == null) {
                        ok.type("application/json;charset=UTF-8");
                        ok.entity(getJSonResponse(user, authorizationGrantByAccessToken, authorizationGrantByAccessToken.getScopes()));
                    } else {
                        SignatureAlgorithm fromString = SignatureAlgorithm.fromString(authorizationGrantByAccessToken.getClient().getUserInfoSignedResponseAlg());
                        ok.type("application/jwt");
                        ok.entity(getJwtResponse(fromString, user, authorizationGrantByAccessToken, authorizationGrantByAccessToken.getScopes()));
                    }
                } else {
                    ok = Response.status(403);
                    ok.entity(this.errorResponseFactory.getErrorAsJson(UserInfoErrorResponseType.INSUFFICIENT_SCOPE));
                    oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrantByAccessToken, false);
                }
            } else {
                ok = Response.status(400);
                ok.entity(this.errorResponseFactory.getErrorAsJson(UserInfoErrorResponseType.INVALID_REQUEST));
            }
        } catch (Exception e2) {
            ok = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
            this.log.error(e2.getMessage(), e2, new Object[0]);
        } catch (InvalidClaimException e3) {
            ok = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
            this.log.error(e3.getMessage(), e3, new Object[0]);
        } catch (SignatureException e4) {
            ok = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
            this.log.error(e4.getMessage(), e4, new Object[0]);
        } catch (StringEncrypter.EncryptionException e5) {
            ok = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
            this.log.error(e5.getMessage(), e5, new Object[0]);
        } catch (InvalidJwtException e6) {
            ok = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
            this.log.error(e6.getMessage(), e6, new Object[0]);
        }
        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
        return ok.build();
    }

    public String getJwtResponse(SignatureAlgorithm signatureAlgorithm, User user, AuthorizationGrant authorizationGrant, Collection<String> collection) throws Exception {
        Object attribute;
        Jwt jwt = new Jwt();
        AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(this.appConfiguration);
        jwt.getHeader().setType(JwtType.JWT);
        jwt.getHeader().setAlgorithm(signatureAlgorithm);
        String keyId = cryptoProvider.getKeyId(this.webKeysConfiguration, signatureAlgorithm);
        if (keyId != null) {
            jwt.getHeader().setKeyId(keyId);
        }
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            Scope scopeByDisplayName = this.scopeService.getScopeByDisplayName(it.next());
            if (ScopeType.DYNAMIC == scopeByDisplayName.getScopeType()) {
                arrayList.add(scopeByDisplayName);
            } else if (scopeByDisplayName.getOxAuthClaims() != null) {
                Iterator<String> it2 = scopeByDisplayName.getOxAuthClaims().iterator();
                while (it2.hasNext()) {
                    GluuAttribute attributeByDn = this.attributeService.getAttributeByDn(it2.next());
                    String oxAuthClaimName = attributeByDn.getOxAuthClaimName();
                    String name = attributeByDn.getName();
                    if (StringUtils.isNotBlank(oxAuthClaimName) && StringUtils.isNotBlank(name)) {
                        jwt.getClaims().setClaim(oxAuthClaimName, name.equals("uid") ? user.getUserId() : user.getAttribute(attributeByDn.getName()));
                    }
                }
            }
        }
        if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember() != null) {
            for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember().getClaims()) {
                GluuAttribute byClaimName = this.attributeService.getByClaimName(claim.getName());
                if (byClaimName != null && (attribute = user.getAttribute(byClaimName.getName(), true)) != null) {
                    if (attribute instanceof JSONArray) {
                        JSONArray jSONArray = (JSONArray) attribute;
                        ArrayList arrayList2 = new ArrayList();
                        for (int i = 0; i < jSONArray.length(); i++) {
                            String optString = jSONArray.optString(i);
                            if (optString != null) {
                                arrayList2.add(optString);
                            }
                        }
                        jwt.getClaims().setClaim(claim.getName(), arrayList2);
                    } else {
                        jwt.getClaims().setClaim(claim.getName(), (String) attribute);
                    }
                }
            }
        }
        if (authorizationGrant.getClient().getSubjectType() == null || !SubjectType.fromString(authorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
            jwt.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute(this.appConfiguration.getOpenidSubAttribute()));
        } else {
            String sectorIdentifierUri = StringUtils.isNotBlank(authorizationGrant.getClient().getSectorIdentifierUri()) ? authorizationGrant.getClient().getSectorIdentifierUri() : authorizationGrant.getClient().getRedirectUris()[0];
            String attribute2 = authorizationGrant.getUser().getAttribute("inum");
            PairwiseIdentifier findPairWiseIdentifier = this.pairwiseIdentifierService.findPairWiseIdentifier(attribute2, sectorIdentifierUri);
            if (findPairWiseIdentifier == null) {
                findPairWiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri);
                findPairWiseIdentifier.setId(UUID.randomUUID().toString());
                findPairWiseIdentifier.setDn(this.pairwiseIdentifierService.getDnForPairwiseIdentifier(findPairWiseIdentifier.getId(), attribute2));
                this.pairwiseIdentifierService.addPairwiseIdentifier(attribute2, findPairWiseIdentifier);
            }
            jwt.getClaims().setSubjectIdentifier(findPairWiseIdentifier.getId());
        }
        if (arrayList.size() > 0 && this.externalDynamicScopeService.isEnabled()) {
            this.externalDynamicScopeService.executeExternalUpdateMethods(new DynamicScopeExternalContext(arrayList, jwt, new UnmodifiableAuthorizationGrant(authorizationGrant)));
        }
        jwt.setEncodedSignature(cryptoProvider.sign(jwt.getSigningInput(), jwt.getHeader().getKeyId(), authorizationGrant.getClient().getClientSecret(), signatureAlgorithm));
        return jwt.toString();
    }

    public String getJweResponse(KeyEncryptionAlgorithm keyEncryptionAlgorithm, BlockEncryptionAlgorithm blockEncryptionAlgorithm, User user, AuthorizationGrant authorizationGrant, Collection<String> collection) throws Exception {
        Object attribute;
        Jwe jwe = new Jwe();
        jwe.getHeader().setType(JwtType.JWT);
        jwe.getHeader().setAlgorithm(keyEncryptionAlgorithm);
        jwe.getHeader().setEncryptionMethod(blockEncryptionAlgorithm);
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            Scope scopeByDisplayName = this.scopeService.getScopeByDisplayName(it.next());
            if (ScopeType.DYNAMIC == scopeByDisplayName.getScopeType()) {
                arrayList.add(scopeByDisplayName);
            } else if (scopeByDisplayName.getOxAuthClaims() != null) {
                Iterator<String> it2 = scopeByDisplayName.getOxAuthClaims().iterator();
                while (it2.hasNext()) {
                    GluuAttribute attributeByDn = this.attributeService.getAttributeByDn(it2.next());
                    String oxAuthClaimName = attributeByDn.getOxAuthClaimName();
                    String name = attributeByDn.getName();
                    if (StringUtils.isNotBlank(oxAuthClaimName) && StringUtils.isNotBlank(name)) {
                        jwe.getClaims().setClaim(oxAuthClaimName, name.equals("uid") ? user.getUserId() : user.getAttribute(attributeByDn.getName()));
                    }
                }
            }
        }
        if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember() != null) {
            for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember().getClaims()) {
                GluuAttribute byClaimName = this.attributeService.getByClaimName(claim.getName());
                if (byClaimName != null && (attribute = user.getAttribute(byClaimName.getName(), true)) != null) {
                    if (attribute instanceof JSONArray) {
                        JSONArray jSONArray = (JSONArray) attribute;
                        ArrayList arrayList2 = new ArrayList();
                        for (int i = 0; i < jSONArray.length(); i++) {
                            String optString = jSONArray.optString(i);
                            if (optString != null) {
                                arrayList2.add(optString);
                            }
                        }
                        jwe.getClaims().setClaim(claim.getName(), arrayList2);
                    } else {
                        jwe.getClaims().setClaim(claim.getName(), (String) attribute);
                    }
                }
            }
        }
        if (authorizationGrant.getClient().getSubjectType() == null || !SubjectType.fromString(authorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
            jwe.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute(this.appConfiguration.getOpenidSubAttribute()));
        } else {
            String sectorIdentifierUri = StringUtils.isNotBlank(authorizationGrant.getClient().getSectorIdentifierUri()) ? authorizationGrant.getClient().getSectorIdentifierUri() : authorizationGrant.getClient().getRedirectUris()[0];
            String attribute2 = authorizationGrant.getUser().getAttribute("inum");
            PairwiseIdentifier findPairWiseIdentifier = this.pairwiseIdentifierService.findPairWiseIdentifier(attribute2, sectorIdentifierUri);
            if (findPairWiseIdentifier == null) {
                findPairWiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri);
                findPairWiseIdentifier.setId(UUID.randomUUID().toString());
                findPairWiseIdentifier.setDn(this.pairwiseIdentifierService.getDnForPairwiseIdentifier(findPairWiseIdentifier.getId(), attribute2));
                this.pairwiseIdentifierService.addPairwiseIdentifier(attribute2, findPairWiseIdentifier);
            }
            jwe.getClaims().setSubjectIdentifier(findPairWiseIdentifier.getId());
        }
        if (arrayList.size() > 0 && this.externalDynamicScopeService.isEnabled()) {
            this.externalDynamicScopeService.executeExternalUpdateMethods(new DynamicScopeExternalContext(arrayList, jwe, new UnmodifiableAuthorizationGrant(authorizationGrant)));
        }
        if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA_OAEP || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA1_5) {
            JSONObject jSONWebKeys = JwtUtil.getJSONWebKeys(authorizationGrant.getClient().getJwksUri());
            AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(this.appConfiguration);
            PublicKey publicKey = cryptoProvider.getPublicKey(cryptoProvider.getKeyId(JSONWebKeySet.fromJSONObject(jSONWebKeys), SignatureAlgorithm.RS256), jSONWebKeys);
            if (publicKey == null) {
                throw new InvalidJweException("The public key is not valid");
            }
            jwe = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, publicKey).encrypt(jwe);
        } else if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A128KW || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A256KW) {
            try {
                jwe = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, authorizationGrant.getClient().getClientSecret().getBytes("UTF-8")).encrypt(jwe);
            } catch (UnsupportedEncodingException e) {
                throw new InvalidJweException(e);
            } catch (StringEncrypter.EncryptionException e2) {
                throw new InvalidJweException(e2);
            } catch (Exception e3) {
                throw new InvalidJweException(e3);
            }
        }
        return jwe.toString();
    }

    public String getJSonResponse(User user, AuthorizationGrant authorizationGrant, Collection<String> collection) throws Exception {
        Object attribute;
        JsonWebResponse jsonWebResponse = new JsonWebResponse();
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            Scope scopeByDisplayName = this.scopeService.getScopeByDisplayName(it.next());
            if (scopeByDisplayName == null || ScopeType.DYNAMIC != scopeByDisplayName.getScopeType()) {
                Map<String, Object> claims = getClaims(user, scopeByDisplayName);
                if (scopeByDisplayName.getIsOxAuthGroupClaims()) {
                    JwtSubClaimObject jwtSubClaimObject = new JwtSubClaimObject();
                    jwtSubClaimObject.setName(scopeByDisplayName.getDisplayName());
                    for (Map.Entry<String, Object> entry : claims.entrySet()) {
                        String key = entry.getKey();
                        Object value = entry.getValue();
                        if (value instanceof List) {
                            jwtSubClaimObject.setClaim(key, (List) value);
                        } else {
                            jwtSubClaimObject.setClaim(key, (String) value);
                        }
                    }
                    jsonWebResponse.getClaims().setClaim(scopeByDisplayName.getDisplayName(), jwtSubClaimObject);
                } else {
                    for (Map.Entry<String, Object> entry2 : claims.entrySet()) {
                        String key2 = entry2.getKey();
                        Object value2 = entry2.getValue();
                        if (value2 instanceof List) {
                            jsonWebResponse.getClaims().setClaim(key2, (List) value2);
                        } else {
                            jsonWebResponse.getClaims().setClaim(key2, (String) value2);
                        }
                    }
                }
                jsonWebResponse.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute("inum"));
            } else {
                arrayList.add(scopeByDisplayName);
            }
        }
        if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember() != null) {
            for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember().getClaims()) {
                GluuAttribute byClaimName = this.attributeService.getByClaimName(claim.getName());
                if (byClaimName != null && (attribute = user.getAttribute(byClaimName.getName(), true)) != null) {
                    if (attribute instanceof JSONArray) {
                        JSONArray jSONArray = (JSONArray) attribute;
                        ArrayList arrayList2 = new ArrayList();
                        for (int i = 0; i < jSONArray.length(); i++) {
                            String optString = jSONArray.optString(i);
                            if (optString != null) {
                                arrayList2.add(optString);
                            }
                        }
                        jsonWebResponse.getClaims().setClaim(claim.getName(), arrayList2);
                    } else {
                        jsonWebResponse.getClaims().setClaim(claim.getName(), (String) attribute);
                    }
                }
            }
        }
        if (authorizationGrant.getClient().getSubjectType() == null || !SubjectType.fromString(authorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
            jsonWebResponse.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute(this.appConfiguration.getOpenidSubAttribute()));
        } else {
            String sectorIdentifierUri = StringUtils.isNotBlank(authorizationGrant.getClient().getSectorIdentifierUri()) ? authorizationGrant.getClient().getSectorIdentifierUri() : authorizationGrant.getClient().getRedirectUris()[0];
            String attribute2 = authorizationGrant.getUser().getAttribute("inum");
            PairwiseIdentifier findPairWiseIdentifier = this.pairwiseIdentifierService.findPairWiseIdentifier(attribute2, sectorIdentifierUri);
            if (findPairWiseIdentifier == null) {
                findPairWiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri);
                findPairWiseIdentifier.setId(UUID.randomUUID().toString());
                findPairWiseIdentifier.setDn(this.pairwiseIdentifierService.getDnForPairwiseIdentifier(findPairWiseIdentifier.getId(), attribute2));
                this.pairwiseIdentifierService.addPairwiseIdentifier(attribute2, findPairWiseIdentifier);
            }
            jsonWebResponse.getClaims().setSubjectIdentifier(findPairWiseIdentifier.getId());
        }
        if (arrayList.size() > 0 && this.externalDynamicScopeService.isEnabled()) {
            this.externalDynamicScopeService.executeExternalUpdateMethods(new DynamicScopeExternalContext(arrayList, jsonWebResponse, new UnmodifiableAuthorizationGrant(authorizationGrant)));
        }
        return jsonWebResponse.toString();
    }

    public Map<String, Object> getClaims(User user, Scope scope) throws InvalidClaimException {
        HashMap hashMap = new HashMap();
        if (scope != null && scope.getOxAuthClaims() != null) {
            Iterator<String> it = scope.getOxAuthClaims().iterator();
            while (it.hasNext()) {
                GluuAttribute attributeByDn = this.attributeService.getAttributeByDn(it.next());
                String oxAuthClaimName = attributeByDn.getOxAuthClaimName();
                String name = attributeByDn.getName();
                if (StringUtils.isNotBlank(oxAuthClaimName) && StringUtils.isNotBlank(name)) {
                    String userId = name.equals("uid") ? user.getUserId() : user.getAttribute(attributeByDn.getName(), true);
                    if (userId != null) {
                        if (userId instanceof JSONArray) {
                            JSONArray jSONArray = (JSONArray) userId;
                            ArrayList arrayList = new ArrayList();
                            for (int i = 0; i < jSONArray.length(); i++) {
                                String optString = jSONArray.optString(i);
                                if (optString != null) {
                                    arrayList.add(optString);
                                }
                            }
                            hashMap.put(oxAuthClaimName, arrayList);
                        } else {
                            hashMap.put(oxAuthClaimName, userId);
                        }
                    }
                }
            }
        }
        return hashMap;
    }
}
