package pl.edu.icm.unity.oauth.client;

import com.google.common.base.Strings;
import com.nimbusds.oauth2.sdk.AccessTokenResponse;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.AuthorizationRequest;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.ResponseMode;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.token.AccessTokenType;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import eu.unicore.util.configuration.ConfigurationException;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Properties;
import net.minidev.json.JSONObject;
import org.apache.http.client.utils.URIBuilder;
import org.apache.logging.log4j.Logger;
import org.eclipse.jetty.servlet.ServletHolder;
import org.eclipse.jetty.util.MultiMap;
import org.eclipse.jetty.util.UrlEncoded;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.engine.api.authn.AbstractCredentialVerificatorFactory;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.engine.api.authn.AuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.CredentialVerificator;
import pl.edu.icm.unity.engine.api.authn.remote.AbstractRemoteVerificator;
import pl.edu.icm.unity.engine.api.authn.remote.RemoteAttribute;
import pl.edu.icm.unity.engine.api.authn.remote.RemoteAuthnResultProcessor;
import pl.edu.icm.unity.engine.api.authn.remote.RemoteIdentity;
import pl.edu.icm.unity.engine.api.authn.remote.RemotelyAuthenticatedInput;
import pl.edu.icm.unity.engine.api.endpoint.SharedEndpointManagement;
import pl.edu.icm.unity.engine.api.server.AdvertisedAddressProvider;
import pl.edu.icm.unity.engine.api.utils.PrototypeComponent;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.InternalException;
import pl.edu.icm.unity.oauth.BaseRemoteASProperties;
import pl.edu.icm.unity.oauth.as.token.OAuthTokenEndpoint;
import pl.edu.icm.unity.oauth.as.token.RevocationResource;
import pl.edu.icm.unity.oauth.as.token.TokenInfoResource;
import pl.edu.icm.unity.oauth.client.config.CustomProviderProperties;
import pl.edu.icm.unity.oauth.client.config.OAuthClientProperties;
import pl.edu.icm.unity.oauth.client.profile.ProfileFetcherUtils;
import pl.edu.icm.unity.types.authn.ExpectedIdentity;

@PrototypeComponent
/* loaded from: input_file:pl/edu/icm/unity/oauth/client/OAuth2Verificator.class */
public class OAuth2Verificator extends AbstractRemoteVerificator implements OAuthExchange {
    private static final Logger log = Log.getLogger("unity.server.oauth", OAuth2Verificator.class);
    public static final String NAME = "oauth2";
    public static final String DESC = "Handles OAuth2 tokens obtained from remote OAuth providers. Queries about additional user information.";
    public static final String DEFAULT_TOKEN_EXPIRATION = "3600";
    private OAuthClientProperties config;
    private final String responseConsumerAddress;
    private final OAuthContextsManagement contextManagement;
    private final PKIManagement pkiManagement;
    private OpenIdProviderMetadataManager metadataManager;

    @Component
    /* loaded from: input_file:pl/edu/icm/unity/oauth/client/OAuth2Verificator$Factory.class */
    public static class Factory extends AbstractCredentialVerificatorFactory {
        @Autowired
        public Factory(ObjectFactory<OAuth2Verificator> objectFactory, SharedEndpointManagement sharedEndpointManagement, OAuthContextsManagement oAuthContextsManagement) throws EngineException {
            super(OAuth2Verificator.NAME, OAuth2Verificator.DESC, objectFactory);
            sharedEndpointManagement.deployInternalEndpointServlet(ResponseConsumerServlet.PATH, new ServletHolder(new ResponseConsumerServlet(oAuthContextsManagement)), false);
        }
    }

    @Autowired
    public OAuth2Verificator(AdvertisedAddressProvider advertisedAddressProvider, SharedEndpointManagement sharedEndpointManagement, OAuthContextsManagement oAuthContextsManagement, PKIManagement pKIManagement, RemoteAuthnResultProcessor remoteAuthnResultProcessor) {
        super(NAME, DESC, OAuthExchange.ID, remoteAuthnResultProcessor);
        this.responseConsumerAddress = advertisedAddressProvider.get() + sharedEndpointManagement.getBaseContextPath() + ResponseConsumerServlet.PATH;
        this.contextManagement = oAuthContextsManagement;
        this.pkiManagement = pKIManagement;
    }

    public String getSerializedConfiguration() {
        StringWriter stringWriter = new StringWriter();
        try {
            this.config.getProperties().store(stringWriter, OAuthTokenEndpoint.PATH);
            return stringWriter.toString();
        } catch (IOException e) {
            throw new InternalException("Can't serialize OAuth2 verificator configuration", e);
        }
    }

    public void setSerializedConfiguration(String str) {
        try {
            Properties properties = new Properties();
            properties.load(new StringReader(str));
            this.config = new OAuthClientProperties(properties, this.pkiManagement);
            this.metadataManager = new OpenIdProviderMetadataManager();
            for (String str2 : this.config.getStructuredListKeys(OAuthClientProperties.PROVIDERS)) {
                if (this.config.getProvider(str2).getBooleanValue(CustomProviderProperties.OPENID_CONNECT).booleanValue()) {
                    this.metadataManager.addProvider(this.config.getProvider(str2).getValue(CustomProviderProperties.OPENID_DISCOVERY));
                }
            }
        } catch (IOException e) {
            throw new InternalException("Invalid configuration of the OAuth2 verificator(?)", e);
        } catch (ConfigurationException e2) {
            throw new InternalException("Invalid configuration of the OAuth2 verificator", e2);
        }
    }

    @Override // pl.edu.icm.unity.oauth.client.OAuthExchange
    public OAuthClientProperties getSettings() {
        return this.config;
    }

    @Override // pl.edu.icm.unity.oauth.client.OAuthExchange
    public OAuthContext createRequest(String str, Optional<ExpectedIdentity> optional) throws URISyntaxException, ParseException, IOException {
        AuthenticationRequest authorizationRequest;
        CustomProviderProperties provider = this.config.getProvider(str);
        String value = provider.getValue(BaseRemoteASProperties.CLIENT_ID);
        String value2 = provider.getValue(CustomProviderProperties.PROVIDER_LOCATION);
        String value3 = provider.getValue(CustomProviderProperties.SCOPES);
        boolean booleanValue = provider.getBooleanValue(CustomProviderProperties.OPENID_CONNECT).booleanValue();
        OAuthContext oAuthContext = new OAuthContext();
        if (booleanValue) {
            if (Strings.isNullOrEmpty(value2)) {
                OIDCProviderMetadata metadata = this.metadataManager.getMetadata(provider.getValue(CustomProviderProperties.OPENID_DISCOVERY), provider);
                if (metadata.getAuthorizationEndpointURI() == null) {
                    throw new ConfigurationException("The authorization endpoint address is not set and it is not available in the discovered OpenID Provider metadata.");
                }
                value2 = metadata.getAuthorizationEndpointURI().toString();
            }
            AuthenticationRequest.Builder builder = new AuthenticationRequest.Builder(new ResponseType(new ResponseType.Value[]{ResponseType.Value.CODE}), Scope.parse(value3), new ClientID(value), new URI(this.responseConsumerAddress));
            builder.state(new State(oAuthContext.getRelayState())).endpointURI(new URI(value2));
            if (optional.isPresent()) {
                builder.loginHint(optional.get().getIdentity());
                oAuthContext.setExpectedIdentity(optional.get());
            }
            authorizationRequest = builder.build();
        } else {
            authorizationRequest = new AuthorizationRequest(new URI(value2), new ResponseType(new ResponseType.Value[]{ResponseType.Value.CODE}), (ResponseMode) null, new ClientID(value), new URI(this.responseConsumerAddress), value3 == null ? null : Scope.parse(value3), new State(oAuthContext.getRelayState()));
        }
        URIBuilder uRIBuilder = new URIBuilder(authorizationRequest.toURI());
        uRIBuilder.addParameters(provider.getAdditionalAuthzParams());
        oAuthContext.setRequest(authorizationRequest, uRIBuilder.build(), str);
        this.contextManagement.addAuthnContext(oAuthContext);
        return oAuthContext;
    }

    @Override // pl.edu.icm.unity.oauth.client.OAuthExchange
    public AuthenticationResult verifyOAuthAuthzResponse(OAuthContext oAuthContext) throws AuthenticationException {
        AbstractRemoteVerificator.RemoteAuthnState startAuthnResponseProcessing = startAuthnResponseProcessing(oAuthContext.getSandboxCallback(), new String[]{"unity.server.externaltranslation", "unity.server.oauth"});
        try {
            RemotelyAuthenticatedInput remotelyAuthenticatedInput = getRemotelyAuthenticatedInput(oAuthContext);
            verifyExpectedIdentity(remotelyAuthenticatedInput, oAuthContext.getExpectedIdentity());
            return getResult(remotelyAuthenticatedInput, getTranslationProfile(this.config.getProvider(oAuthContext.getProviderConfigKey()), "translationProfile", "embeddedTranslationProfile"), startAuthnResponseProcessing);
        } catch (Exception e) {
            finishAuthnResponseProcessing(startAuthnResponseProcessing, e);
            throw e;
        }
    }

    private void verifyExpectedIdentity(RemotelyAuthenticatedInput remotelyAuthenticatedInput, ExpectedIdentity expectedIdentity) {
        if (expectedIdentity == null || expectedIdentity.getExpectation() == ExpectedIdentity.IdentityExpectation.HINT) {
            return;
        }
        String identity = expectedIdentity.getIdentity();
        if (remotelyAuthenticatedInput.getIdentities().values().stream().filter(remoteIdentity -> {
            return remoteIdentity.getName().equals(identity);
        }).findAny().isPresent() || remotelyAuthenticatedInput.getAttributes().values().stream().filter(remoteAttribute -> {
            return remoteAttribute.getName().equals("email");
        }).filter(remoteAttribute2 -> {
            return remoteAttribute2.getValues().contains(identity);
        }).findAny().isPresent()) {
            return;
        }
        log.debug("Failing OAuth authentication as expected&mandatory identity {} was not found in received user data: {}", identity, remotelyAuthenticatedInput.getTextDump());
        throw new UnexpectedIdentityException(identity);
    }

    private RemotelyAuthenticatedInput getRemotelyAuthenticatedInput(OAuthContext oAuthContext) throws AuthenticationException {
        String errorCode = oAuthContext.getErrorCode();
        if (errorCode != null) {
            throw new AuthenticationException("OAuth provider returned an error: " + errorCode + (oAuthContext.getErrorDescription() != null ? " " + oAuthContext.getErrorDescription() : OAuthTokenEndpoint.PATH));
        }
        try {
            return convertInput(oAuthContext, this.config.getProvider(oAuthContext.getProviderConfigKey()).getBooleanValue(CustomProviderProperties.OPENID_CONNECT).booleanValue() ? getAccessTokenAndProfileOpenIdConnect(oAuthContext) : getAccessTokenAndProfilePlain(oAuthContext));
        } catch (Exception e) {
            throw new AuthenticationException("Problem during user information retrieval", e);
        }
    }

    private CustomProviderProperties.AccessTokenFormat getAccessTokenFormat(OAuthContext oAuthContext) {
        return (CustomProviderProperties.AccessTokenFormat) this.config.getProvider(oAuthContext.getProviderConfigKey()).getEnumValue(CustomProviderProperties.ACCESS_TOKEN_FORMAT, CustomProviderProperties.AccessTokenFormat.class);
    }

    private HTTPResponse retrieveAccessTokenGeneric(OAuthContext oAuthContext, String str, CustomProviderProperties.ClientAuthnMode clientAuthnMode) throws IOException, URISyntaxException {
        HTTPRequest secureRequest = new HttpRequestConfigurer().secureRequest(new TokenRequest(new URI(str), getClientAuthentication(this.config.getProvider(oAuthContext.getProviderConfigKey()).getValue(BaseRemoteASProperties.CLIENT_ID), this.config.getProvider(oAuthContext.getProviderConfigKey()).getValue(BaseRemoteASProperties.CLIENT_SECRET), clientAuthnMode), new AuthorizationCodeGrant(new AuthorizationCode(oAuthContext.getAuthzCode()), new URI(this.responseConsumerAddress))).toHTTPRequest(), oAuthContext, this.config);
        if (getAccessTokenFormat(oAuthContext) == CustomProviderProperties.AccessTokenFormat.standard) {
            secureRequest.setAccept("application/json");
        }
        if (log.isTraceEnabled()) {
            log.trace("Exchanging authorization code for access token with request to: " + secureRequest.getURL() + "?" + secureRequest.getQuery().replaceFirst("client_secret=[^&]*", "client_secret=xxxxxx"));
        } else if (log.isDebugEnabled()) {
            log.debug("Exchanging authorization code for access token with request to: " + secureRequest.getURL());
        }
        HTTPResponse send = secureRequest.send();
        log.debug("Received answer: {}", Integer.valueOf(send.getStatusCode()));
        if (send.getStatusCode() != 200) {
            log.debug("Error received. Contents: {}", send.getContent());
        } else {
            log.trace("Received token: {}", send.getContent().trim());
        }
        return send;
    }

    private ClientAuthentication getClientAuthentication(String str, String str2, CustomProviderProperties.ClientAuthnMode clientAuthnMode) {
        switch (clientAuthnMode) {
            case secretPost:
                return new ClientSecretPost(new ClientID(str), new Secret(str2));
            case secretBasic:
            default:
                return new ClientSecretBasic(new ClientID(str), new Secret(str2));
        }
    }

    private AttributeFetchResult getAccessTokenAndProfileOpenIdConnect(OAuthContext oAuthContext) throws Exception {
        CustomProviderProperties provider = this.config.getProvider(oAuthContext.getProviderConfigKey());
        OIDCProviderMetadata metadata = this.metadataManager.getMetadata(provider.getValue(CustomProviderProperties.OPENID_DISCOVERY), provider);
        String value = provider.getValue(CustomProviderProperties.ACCESS_TOKEN_ENDPOINT);
        if (value == null) {
            if (metadata.getTokenEndpointURI() == null) {
                throw new AuthenticationException("The access token endpoint is not set in provider's metadata and it is not configured manually");
            }
            value = metadata.getTokenEndpointURI().toString();
        }
        OIDCTokenResponse parse = OIDCTokenResponse.parse(retrieveAccessTokenGeneric(oAuthContext, value, establishOpenIDAuthnMode(metadata, provider)));
        BearerAccessToken extractAccessToken = extractAccessToken(parse);
        Map<String, List<String>> convertToAttributes = ProfileFetcherUtils.convertToAttributes(new JSONObject(parse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaims()));
        List<String> userInfoEndpoints = provider.getUserInfoEndpoints();
        if (userInfoEndpoints.isEmpty() && metadata.getUserInfoEndpointURI() != null) {
            userInfoEndpoints.add(metadata.getUserInfoEndpointURI().toString());
        }
        return fetchUserAttributes(provider, extractAccessToken, convertToAttributes, userInfoEndpoints);
    }

    private CustomProviderProperties.ClientAuthnMode establishOpenIDAuthnMode(OIDCProviderMetadata oIDCProviderMetadata, CustomProviderProperties customProviderProperties) throws AuthenticationException {
        CustomProviderProperties.ClientAuthnMode clientAuthnMode = CustomProviderProperties.ClientAuthnMode.secretBasic;
        if (customProviderProperties.isSet(BaseRemoteASProperties.CLIENT_AUTHN_MODE)) {
            clientAuthnMode = (CustomProviderProperties.ClientAuthnMode) customProviderProperties.getEnumValue(BaseRemoteASProperties.CLIENT_AUTHN_MODE, CustomProviderProperties.ClientAuthnMode.class);
        } else {
            List tokenEndpointAuthMethods = oIDCProviderMetadata.getTokenEndpointAuthMethods();
            if (tokenEndpointAuthMethods != null) {
                clientAuthnMode = null;
                Iterator it = tokenEndpointAuthMethods.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    ClientAuthenticationMethod clientAuthenticationMethod = (ClientAuthenticationMethod) it.next();
                    if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientAuthenticationMethod)) {
                        clientAuthnMode = CustomProviderProperties.ClientAuthnMode.secretPost;
                        break;
                    }
                    if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientAuthenticationMethod)) {
                        clientAuthnMode = CustomProviderProperties.ClientAuthnMode.secretBasic;
                        break;
                    }
                }
                if (clientAuthnMode == null) {
                    throw new AuthenticationException("Client authentication metods supported by the provider (" + tokenEndpointAuthMethods + ") do not include any of methods supported by Unity.");
                }
            }
        }
        return clientAuthnMode;
    }

    private AttributeFetchResult getAccessTokenAndProfilePlain(OAuthContext oAuthContext) throws Exception {
        BearerAccessToken bearerAccessToken;
        CustomProviderProperties provider = this.config.getProvider(oAuthContext.getProviderConfigKey());
        HTTPResponse retrieveAccessTokenGeneric = retrieveAccessTokenGeneric(oAuthContext, provider.getValue(CustomProviderProperties.ACCESS_TOKEN_ENDPOINT), (CustomProviderProperties.ClientAuthnMode) provider.getEnumValue(BaseRemoteASProperties.CLIENT_AUTHN_MODE, CustomProviderProperties.ClientAuthnMode.class));
        HashMap hashMap = new HashMap();
        if (getAccessTokenFormat(oAuthContext) == CustomProviderProperties.AccessTokenFormat.standard) {
            JSONObject contentAsJSONObject = retrieveAccessTokenGeneric.getContentAsJSONObject();
            if (!contentAsJSONObject.containsKey("token_type")) {
                contentAsJSONObject.put("token_type", AccessTokenType.BEARER.getValue());
            }
            AccessTokenResponse parse = AccessTokenResponse.parse(contentAsJSONObject);
            bearerAccessToken = extractAccessToken(parse);
            extractUserInfoFromStandardAccessToken(parse, hashMap);
        } else {
            if (retrieveAccessTokenGeneric.getStatusCode() != 200) {
                throw new AuthenticationException("Exchange of authorization code for access token failed: " + retrieveAccessTokenGeneric.getContent());
            }
            MultiMap<String> multiMap = new MultiMap<>();
            UrlEncoded.decodeTo(retrieveAccessTokenGeneric.getContent().trim(), multiMap, "UTF-8");
            String string = multiMap.getString(RevocationResource.TOKEN_TYPE_ACCESS);
            if (string == null) {
                throw new AuthenticationException("Access token answer received doesn't contain 'access_token' parameter.");
            }
            String string2 = multiMap.getString("expires");
            if (string2 == null) {
                string2 = multiMap.getString("expires_in");
            }
            if (string2 == null) {
                log.debug("AS didn't provide expiration time, assuming default value 3600");
                string2 = DEFAULT_TOKEN_EXPIRATION;
            }
            bearerAccessToken = new BearerAccessToken(string, Long.parseLong(string2), (Scope) null);
            extractUserInfoFromHttpParamsAccessToken(multiMap, hashMap);
        }
        return fetchUserAttributes(provider, bearerAccessToken, hashMap, provider.getUserInfoEndpoints());
    }

    private AttributeFetchResult fetchUserAttributes(CustomProviderProperties customProviderProperties, BearerAccessToken bearerAccessToken, Map<String, List<String>> map, List<String> list) throws Exception {
        UserProfileFetcher userAttributesResolver = customProviderProperties.getUserAttributesResolver();
        AttributeFetchResult attributeFetchResult = new AttributeFetchResult();
        if (userAttributesResolver != null) {
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                attributeFetchResult = attributeFetchResult.mergeWith(userAttributesResolver.fetchProfile(bearerAccessToken, it.next(), customProviderProperties, map));
            }
        }
        attributeFetchResult.getAttributes().putAll(map);
        log.debug("Received the following attributes from the OAuth provider: {}", attributeFetchResult.getAttributes());
        return attributeFetchResult;
    }

    private void extractUserInfoFromStandardAccessToken(AccessTokenResponse accessTokenResponse, Map<String, List<String>> map) {
        for (Map.Entry entry : accessTokenResponse.getCustomParameters().entrySet()) {
            if (!attributeIgnored((String) entry.getKey())) {
                map.put((String) entry.getKey(), Arrays.asList(entry.getValue().toString()));
            }
        }
    }

    private void extractUserInfoFromHttpParamsAccessToken(MultiMap<String> multiMap, Map<String, List<String>> map) {
        for (Map.Entry entry : multiMap.entrySet()) {
            String str = (String) entry.getKey();
            List<String> list = (List) entry.getValue();
            if (!attributeIgnored(str) && !list.isEmpty()) {
                map.put(str, list);
            }
        }
    }

    private boolean attributeIgnored(String str) {
        return str.equals(RevocationResource.TOKEN_TYPE_ACCESS) || str.equals("expires") || str.equals("expires_in") || str.equals("id_token");
    }

    private BearerAccessToken extractAccessToken(AccessTokenResponse accessTokenResponse) throws AuthenticationException {
        BearerAccessToken accessToken = accessTokenResponse.getTokens().getAccessToken();
        if (accessToken instanceof BearerAccessToken) {
            return accessToken;
        }
        throw new AuthenticationException("OAuth provider returned an access token which is not the bearer token, it is unsupported and most probably a problem on the provider side. The received token type is: " + accessToken.getType().toString());
    }

    private RemotelyAuthenticatedInput convertInput(OAuthContext oAuthContext, AttributeFetchResult attributeFetchResult) {
        CustomProviderProperties provider = this.config.getProvider(oAuthContext.getProviderConfigKey());
        String value = provider.getValue(CustomProviderProperties.ACCESS_TOKEN_ENDPOINT);
        String value2 = provider.getValue(CustomProviderProperties.OPENID_DISCOVERY);
        if (value == null && value2 != null) {
            try {
                value = this.metadataManager.getMetadata(value2, provider).getTokenEndpointURI().toString();
            } catch (Exception e) {
                log.warn("Can't obtain OIDC metadata", e);
            }
        }
        if (value == null) {
            value = "unknown";
        }
        RemotelyAuthenticatedInput remotelyAuthenticatedInput = new RemotelyAuthenticatedInput(value);
        for (Map.Entry<String, List<String>> entry : attributeFetchResult.getAttributes().entrySet()) {
            remotelyAuthenticatedInput.addAttribute(new RemoteAttribute(entry.getKey(), entry.getValue().toArray()));
            if (entry.getKey().equals(TokenInfoResource.SUBJECT) && !entry.getValue().isEmpty()) {
                remotelyAuthenticatedInput.addIdentity(new RemoteIdentity(entry.getValue().get(0), TokenInfoResource.SUBJECT));
            }
        }
        remotelyAuthenticatedInput.setRawAttributes(attributeFetchResult.getRawAttributes());
        return remotelyAuthenticatedInput;
    }

    public CredentialVerificator.VerificatorType getType() {
        return CredentialVerificator.VerificatorType.Remote;
    }
}
