package org.apereo.cas.oidc.config;

import com.github.benmanes.caffeine.cache.CacheLoader;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.github.benmanes.caffeine.cache.LoadingCache;
import java.util.Collection;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
import org.apereo.cas.authentication.AuthenticationServiceSelectionStrategy;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.MultifactorAuthenticationProviderResolver;
import org.apereo.cas.authentication.MultifactorAuthenticationProviderSelector;
import org.apereo.cas.authentication.MultifactorAuthenticationTrigger;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.oidc.OidcWebFingerProperties;
import org.apereo.cas.logout.slo.SingleLogoutServiceLogoutUrlBuilder;
import org.apereo.cas.oidc.OidcConstants;
import org.apereo.cas.oidc.claims.BaseOidcScopeAttributeReleasePolicy;
import org.apereo.cas.oidc.claims.OidcCustomScopeAttributeReleasePolicy;
import org.apereo.cas.oidc.claims.mapping.DefaultOidcAttributeToScopeClaimMapper;
import org.apereo.cas.oidc.claims.mapping.OidcAttributeToScopeClaimMapper;
import org.apereo.cas.oidc.discovery.OidcServerDiscoverySettings;
import org.apereo.cas.oidc.discovery.OidcServerDiscoverySettingsFactory;
import org.apereo.cas.oidc.discovery.webfinger.OidcWebFingerDiscoveryService;
import org.apereo.cas.oidc.discovery.webfinger.OidcWebFingerUserInfoRepository;
import org.apereo.cas.oidc.discovery.webfinger.userinfo.OidcEchoingWebFingerUserInfoRepository;
import org.apereo.cas.oidc.discovery.webfinger.userinfo.OidcGroovyWebFingerUserInfoRepository;
import org.apereo.cas.oidc.discovery.webfinger.userinfo.OidcRestfulWebFingerUserInfoRepository;
import org.apereo.cas.oidc.dynareg.OidcClientRegistrationRequest;
import org.apereo.cas.oidc.dynareg.OidcClientRegistrationRequestSerializer;
import org.apereo.cas.oidc.jwks.OidcDefaultJsonWebKeystoreCacheLoader;
import org.apereo.cas.oidc.jwks.OidcJsonWebKeystoreGeneratorService;
import org.apereo.cas.oidc.jwks.OidcServiceJsonWebKeystoreCacheLoader;
import org.apereo.cas.oidc.profile.OidcProfileScopeToAttributesFilter;
import org.apereo.cas.oidc.profile.OidcRegisteredServicePreProcessorEventListener;
import org.apereo.cas.oidc.profile.OidcUserProfileDataCreator;
import org.apereo.cas.oidc.token.OidcIdTokenGeneratorService;
import org.apereo.cas.oidc.token.OidcIdTokenSigningAndEncryptionService;
import org.apereo.cas.oidc.token.OidcRegisteredServiceJWTAccessTokenCipherExecutor;
import org.apereo.cas.oidc.util.OidcAuthorizationRequestSupport;
import org.apereo.cas.oidc.web.OidcAccessTokenResponseGenerator;
import org.apereo.cas.oidc.web.OidcCallbackAuthorizeViewResolver;
import org.apereo.cas.oidc.web.OidcCasClientRedirectActionBuilder;
import org.apereo.cas.oidc.web.OidcConsentApprovalViewResolver;
import org.apereo.cas.oidc.web.OidcHandlerInterceptorAdapter;
import org.apereo.cas.oidc.web.OidcImplicitIdTokenAuthorizationResponseBuilder;
import org.apereo.cas.oidc.web.OidcSecurityInterceptor;
import org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController;
import org.apereo.cas.oidc.web.controllers.discovery.OidcWellKnownEndpointController;
import org.apereo.cas.oidc.web.controllers.dynareg.OidcDynamicClientRegistrationEndpointController;
import org.apereo.cas.oidc.web.controllers.introspection.OidcIntrospectionEndpointController;
import org.apereo.cas.oidc.web.controllers.jwks.OidcJwksEndpointController;
import org.apereo.cas.oidc.web.controllers.logout.OidcLogoutEndpointController;
import org.apereo.cas.oidc.web.controllers.profile.OidcUserProfileEndpointController;
import org.apereo.cas.oidc.web.controllers.token.OidcAccessTokenEndpointController;
import org.apereo.cas.oidc.web.controllers.token.OidcRevocationEndpointController;
import org.apereo.cas.oidc.web.flow.OidcMultifactorAuthenticationTrigger;
import org.apereo.cas.oidc.web.flow.OidcRegisteredServiceUIAction;
import org.apereo.cas.oidc.web.flow.OidcWebflowConfigurer;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.services.RegisteredServiceCipherExecutor;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.authenticator.OAuth20CasAuthenticationBuilder;
import org.apereo.cas.support.oauth.profile.OAuth20ProfileScopeToAttributesFilter;
import org.apereo.cas.support.oauth.profile.OAuth20UserProfileDataCreator;
import org.apereo.cas.support.oauth.validator.authorization.OAuth20AuthorizationRequestValidator;
import org.apereo.cas.support.oauth.validator.token.OAuth20TokenRequestValidator;
import org.apereo.cas.support.oauth.web.response.OAuth20CasClientRedirectActionBuilder;
import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20TokenGenerator;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenGrantRequestExtractor;
import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20AccessTokenResponseGenerator;
import org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationResponseBuilder;
import org.apereo.cas.support.oauth.web.views.ConsentApprovalViewResolver;
import org.apereo.cas.support.oauth.web.views.OAuth20CallbackAuthorizeViewResolver;
import org.apereo.cas.support.oauth.web.views.OAuth20UserProfileViewRenderer;
import org.apereo.cas.ticket.ExpirationPolicy;
import org.apereo.cas.ticket.IdTokenGeneratorService;
import org.apereo.cas.ticket.OidcTokenSigningAndEncryptionService;
import org.apereo.cas.ticket.accesstoken.AccessTokenFactory;
import org.apereo.cas.ticket.code.OAuthCodeFactory;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.ticket.registry.TicketRegistrySupport;
import org.apereo.cas.token.JWTBuilder;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.gen.DefaultRandomStringGenerator;
import org.apereo.cas.util.serialization.StringSerializer;
import org.apereo.cas.web.flow.CasWebflowConfigurer;
import org.apereo.cas.web.flow.CasWebflowExecutionPlan;
import org.apereo.cas.web.flow.CasWebflowExecutionPlanConfigurer;
import org.apereo.cas.web.flow.resolver.CasDelegatingWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.impl.mfa.DefaultMultifactorAuthenticationProviderEventResolver;
import org.apereo.cas.web.support.CookieRetrievingCookieGenerator;
import org.jose4j.jwk.RsaJsonWebKey;
import org.pac4j.cas.client.CasClient;
import org.pac4j.core.config.Config;
import org.pac4j.springframework.web.SecurityInterceptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.FactoryBean;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;
import org.springframework.core.io.ResourceLoader;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import org.springframework.web.util.CookieGenerator;
import org.springframework.webflow.definition.registry.FlowDefinitionRegistry;
import org.springframework.webflow.engine.builder.support.FlowBuilderServices;
import org.springframework.webflow.execution.Action;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("oidcConfiguration")
/* loaded from: input_file:org/apereo/cas/oidc/config/OidcConfiguration.class */
public class OidcConfiguration implements WebMvcConfigurer, CasWebflowExecutionPlanConfigurer {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OidcConfiguration.class);

    @Autowired
    @Qualifier("accessTokenJwtBuilder")
    private ObjectProvider<JWTBuilder> accessTokenJwtBuilder;

    @Autowired
    @Qualifier("accessTokenGrantAuditableRequestExtractor")
    private ObjectProvider<AuditableExecution> accessTokenGrantAuditableRequestExtractor;

    @Autowired
    @Qualifier("defaultAuthenticationSystemSupport")
    private ObjectProvider<AuthenticationSystemSupport> authenticationSystemSupport;

    @Autowired
    @Qualifier("registeredServiceAccessStrategyEnforcer")
    private ObjectProvider<AuditableExecution> registeredServiceAccessStrategyEnforcer;

    @Autowired
    @Qualifier("oauthAuthorizationRequestValidators")
    private ObjectProvider<Set<OAuth20AuthorizationRequestValidator>> oauthRequestValidators;

    @Autowired
    @Qualifier("grantingTicketExpirationPolicy")
    private ObjectProvider<ExpirationPolicy> grantingTicketExpirationPolicy;

    @Autowired
    @Qualifier("oauthTokenGenerator")
    private ObjectProvider<OAuth20TokenGenerator> oauthTokenGenerator;

    @Autowired
    @Qualifier("oauthAuthorizationResponseBuilders")
    private ObjectProvider<Set<OAuth20AuthorizationResponseBuilder>> oauthAuthorizationResponseBuilders;

    @Autowired
    @Qualifier("webApplicationServiceFactory")
    private ObjectProvider<ServiceFactory<WebApplicationService>> webApplicationServiceFactory;

    @Autowired
    @Qualifier("accessTokenExpirationPolicy")
    private ObjectProvider<ExpirationPolicy> accessTokenExpirationPolicy;

    @Autowired
    @Qualifier("deviceTokenExpirationPolicy")
    private ObjectProvider<ExpirationPolicy> deviceTokenExpirationPolicy;

    @Autowired
    @Qualifier("requiresAuthenticationAccessTokenInterceptor")
    private ObjectProvider<SecurityInterceptor> requiresAuthenticationAccessTokenInterceptor;

    @Autowired
    @Qualifier("multifactorAuthenticationProviderSelector")
    private ObjectProvider<MultifactorAuthenticationProviderSelector> multifactorAuthenticationProviderSelector;

    @Autowired
    @Qualifier("oauthCasAuthenticationBuilder")
    private ObjectProvider<OAuth20CasAuthenticationBuilder> authenticationBuilder;

    @Autowired
    @Qualifier("warnCookieGenerator")
    private ObjectProvider<CookieGenerator> warnCookieGenerator;

    @Autowired
    @Qualifier("loginFlowRegistry")
    private ObjectProvider<FlowDefinitionRegistry> loginFlowDefinitionRegistry;

    @Autowired
    @Qualifier("logoutFlowRegistry")
    private ObjectProvider<FlowDefinitionRegistry> logoutFlowDefinitionRegistry;

    @Autowired
    private ObjectProvider<FlowBuilderServices> flowBuilderServices;

    @Autowired
    @Qualifier("initialAuthenticationAttemptWebflowEventResolver")
    private ObjectProvider<CasDelegatingWebflowEventResolver> initialAuthenticationAttemptWebflowEventResolver;

    @Autowired
    @Qualifier("centralAuthenticationService")
    private ObjectProvider<CentralAuthenticationService> centralAuthenticationService;

    @Autowired
    @Qualifier("oauth20AuthenticationRequestServiceSelectionStrategy")
    private ObjectProvider<AuthenticationServiceSelectionStrategy> oauth20AuthenticationServiceSelectionStrategy;

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    private ResourceLoader resourceLoader;

    @Autowired
    @Qualifier("singleLogoutServiceLogoutUrlBuilder")
    private ObjectProvider<SingleLogoutServiceLogoutUrlBuilder> singleLogoutServiceLogoutUrlBuilder;

    @Autowired
    @Qualifier("oauthSecConfig")
    private ObjectProvider<Config> oauthSecConfig;

    @Autowired
    @Qualifier("ticketGrantingTicketCookieGenerator")
    private ObjectProvider<CookieRetrievingCookieGenerator> ticketGrantingTicketCookieGenerator;

    @Autowired
    @Qualifier("defaultTicketRegistrySupport")
    private ObjectProvider<TicketRegistrySupport> ticketRegistrySupport;

    @Autowired
    @Qualifier("defaultAccessTokenFactory")
    private ObjectProvider<AccessTokenFactory> defaultAccessTokenFactory;

    @Autowired
    @Qualifier("servicesManager")
    private ObjectProvider<ServicesManager> servicesManager;

    @Autowired
    @Qualifier("ticketRegistry")
    private ObjectProvider<TicketRegistry> ticketRegistry;

    @Autowired
    @Qualifier("defaultOAuthCodeFactory")
    private ObjectProvider<OAuthCodeFactory> defaultOAuthCodeFactory;

    @Autowired
    private ConfigurableApplicationContext applicationContext;

    @Autowired
    private ApplicationEventPublisher applicationEventPublisher;

    @Autowired
    @Qualifier("authenticationServiceSelectionPlan")
    private ObjectProvider<AuthenticationServiceSelectionPlan> authenticationRequestServiceSelectionStrategies;

    @Autowired
    @Qualifier("oauthUserProfileViewRenderer")
    private ObjectProvider<OAuth20UserProfileViewRenderer> oauthUserProfileViewRenderer;

    @Autowired
    @Qualifier("accessTokenGrantRequestExtractors")
    private ObjectProvider<Collection<AccessTokenGrantRequestExtractor>> accessTokenGrantRequestExtractors;

    @Autowired
    @Qualifier("oauthTokenRequestValidators")
    private ObjectProvider<Collection<OAuth20TokenRequestValidator>> oauthTokenRequestValidators;

    @Autowired
    @Qualifier("multifactorAuthenticationProviderResolver")
    private ObjectProvider<MultifactorAuthenticationProviderResolver> multifactorAuthenticationProviderResolver;

    public void addInterceptors(InterceptorRegistry interceptorRegistry) {
        interceptorRegistry.addInterceptor(oauthInterceptor()).addPathPatterns(new String[]{"/" + "oidc".concat("/").concat("*")});
    }

    @Bean
    public ConsentApprovalViewResolver consentApprovalViewResolver() {
        return new OidcConsentApprovalViewResolver(this.casProperties);
    }

    @Bean
    public OAuth20CallbackAuthorizeViewResolver callbackAuthorizeViewResolver() {
        return new OidcCallbackAuthorizeViewResolver();
    }

    @Bean
    public OAuth20CasClientRedirectActionBuilder oauthCasClientRedirectActionBuilder() {
        return new OidcCasClientRedirectActionBuilder(oidcAuthorizationRequestSupport());
    }

    @Bean
    public HandlerInterceptorAdapter requiresAuthenticationDynamicRegistrationInterceptor() {
        return new SecurityInterceptor((Config) this.oauthSecConfig.getIfAvailable(), String.join(",", "clientBasicAuth", "clientForm", "userForm"));
    }

    @Bean
    public HandlerInterceptorAdapter requiresAuthenticationAuthorizeInterceptor() {
        return new OidcSecurityInterceptor((Config) this.oauthSecConfig.getIfAvailable(), ((Config) this.oauthSecConfig.getIfAvailable()).getClients().findClient(CasClient.class).getName(), oidcAuthorizationRequestSupport());
    }

    @Bean
    public OAuth20CasClientRedirectActionBuilder oidcCasClientRedirectActionBuilder() {
        return new OidcCasClientRedirectActionBuilder(oidcAuthorizationRequestSupport());
    }

    @RefreshScope
    @Bean
    public IdTokenGeneratorService oidcIdTokenGenerator() {
        return new OidcIdTokenGeneratorService(this.casProperties, oidcTokenSigningAndEncryptionService(), (ServicesManager) this.servicesManager.getIfAvailable(), (TicketRegistry) this.ticketRegistry.getIfAvailable());
    }

    @RefreshScope
    @Bean
    public OAuth20AccessTokenResponseGenerator oidcAccessTokenResponseGenerator() {
        return new OidcAccessTokenResponseGenerator(oidcIdTokenGenerator(), (JWTBuilder) this.accessTokenJwtBuilder.getIfAvailable());
    }

    @Bean
    public OidcAuthorizationRequestSupport oidcAuthorizationRequestSupport() {
        return new OidcAuthorizationRequestSupport((CookieRetrievingCookieGenerator) this.ticketGrantingTicketCookieGenerator.getIfAvailable(), (TicketRegistrySupport) this.ticketRegistrySupport.getIfAvailable());
    }

    @ConditionalOnMissingBean(name = {"oidcPrincipalFactory"})
    @Bean
    public PrincipalFactory oidcPrincipalFactory() {
        return PrincipalFactoryUtils.newPrincipalFactory();
    }

    @Bean
    public OidcAttributeToScopeClaimMapper oidcAttributeToScopeClaimMapper() {
        return new DefaultOidcAttributeToScopeClaimMapper(this.casProperties.getAuthn().getOidc().getClaimsMap());
    }

    @Bean
    public OAuth20ProfileScopeToAttributesFilter profileScopeToAttributesFilter() {
        return new OidcProfileScopeToAttributesFilter(oidcPrincipalFactory(), (ServicesManager) this.servicesManager.getIfAvailable(), userDefinedScopeBasedAttributeReleasePolicies(), this.casProperties);
    }

    @RefreshScope
    @Bean
    public OidcIntrospectionEndpointController oidcIntrospectionEndpointController() {
        return new OidcIntrospectionEndpointController((ServicesManager) this.servicesManager.getIfAvailable(), (TicketRegistry) this.ticketRegistry.getIfAvailable(), (AccessTokenFactory) this.defaultAccessTokenFactory.getIfAvailable(), oidcPrincipalFactory(), (ServiceFactory) this.webApplicationServiceFactory.getIfAvailable(), profileScopeToAttributesFilter(), this.casProperties, (CookieRetrievingCookieGenerator) this.ticketGrantingTicketCookieGenerator.getIfAvailable(), (CentralAuthenticationService) this.centralAuthenticationService.getIfAvailable(), (AuditableExecution) this.registeredServiceAccessStrategyEnforcer.getIfAvailable());
    }

    @RefreshScope
    @Bean
    public OidcLogoutEndpointController oidcLogoutEndpointController() {
        return new OidcLogoutEndpointController((ServicesManager) this.servicesManager.getIfAvailable(), (TicketRegistry) this.ticketRegistry.getIfAvailable(), (AccessTokenFactory) this.defaultAccessTokenFactory.getIfAvailable(), oidcPrincipalFactory(), (ServiceFactory) this.webApplicationServiceFactory.getIfAvailable(), profileScopeToAttributesFilter(), this.casProperties, (CookieRetrievingCookieGenerator) this.ticketGrantingTicketCookieGenerator.getIfAvailable(), (AuditableExecution) this.registeredServiceAccessStrategyEnforcer.getIfAvailable(), oidcTokenSigningAndEncryptionService(), (SingleLogoutServiceLogoutUrlBuilder) this.singleLogoutServiceLogoutUrlBuilder.getIfAvailable());
    }

    @RefreshScope
    @Bean
    public OidcRevocationEndpointController oidcRevocationEndpointController() {
        return new OidcRevocationEndpointController((ServicesManager) this.servicesManager.getIfAvailable(), (TicketRegistry) this.ticketRegistry.getIfAvailable(), (AccessTokenFactory) this.defaultAccessTokenFactory.getIfAvailable(), oidcPrincipalFactory(), (ServiceFactory) this.webApplicationServiceFactory.getIfAvailable(), profileScopeToAttributesFilter(), this.casProperties, (CookieRetrievingCookieGenerator) this.ticketGrantingTicketCookieGenerator.getIfAvailable(), (AuditableExecution) this.registeredServiceAccessStrategyEnforcer.getIfAvailable());
    }

    @RefreshScope
    @Bean
    public OidcAccessTokenEndpointController oidcAccessTokenController() {
        return new OidcAccessTokenEndpointController((ServicesManager) this.servicesManager.getIfAvailable(), (TicketRegistry) this.ticketRegistry.getIfAvailable(), (AccessTokenFactory) this.defaultAccessTokenFactory.getIfAvailable(), oidcPrincipalFactory(), (ServiceFactory) this.webApplicationServiceFactory.getIfAvailable(), (OAuth20TokenGenerator) this.oauthTokenGenerator.getIfAvailable(), oidcAccessTokenResponseGenerator(), profileScopeToAttributesFilter(), this.casProperties, (CookieRetrievingCookieGenerator) this.ticketGrantingTicketCookieGenerator.getIfAvailable(), (ExpirationPolicy) this.accessTokenExpirationPolicy.getIfAvailable(), (ExpirationPolicy) this.deviceTokenExpirationPolicy.getIfAvailable(), (Collection) this.oauthTokenRequestValidators.getIfAvailable(), (AuditableExecution) this.accessTokenGrantAuditableRequestExtractor.getIfAvailable());
    }

    @ConditionalOnMissingBean(name = {"clientRegistrationRequestSerializer"})
    @Bean
    public StringSerializer<OidcClientRegistrationRequest> clientRegistrationRequestSerializer() {
        return new OidcClientRegistrationRequestSerializer();
    }

    @RefreshScope
    @Bean
    public OidcDynamicClientRegistrationEndpointController oidcDynamicClientRegistrationEndpointController() {
        return new OidcDynamicClientRegistrationEndpointController((ServicesManager) this.servicesManager.getIfAvailable(), (TicketRegistry) this.ticketRegistry.getIfAvailable(), (AccessTokenFactory) this.defaultAccessTokenFactory.getIfAvailable(), oidcPrincipalFactory(), (ServiceFactory) this.webApplicationServiceFactory.getIfAvailable(), clientRegistrationRequestSerializer(), new DefaultRandomStringGenerator(), new DefaultRandomStringGenerator(), profileScopeToAttributesFilter(), this.casProperties, (CookieRetrievingCookieGenerator) this.ticketGrantingTicketCookieGenerator.getIfAvailable());
    }

    @RefreshScope
    @Bean
    public OidcJwksEndpointController oidcJwksController() {
        return new OidcJwksEndpointController((ServicesManager) this.servicesManager.getIfAvailable(), (TicketRegistry) this.ticketRegistry.getIfAvailable(), (AccessTokenFactory) this.defaultAccessTokenFactory.getIfAvailable(), oidcPrincipalFactory(), (ServiceFactory) this.webApplicationServiceFactory.getIfAvailable(), profileScopeToAttributesFilter(), this.casProperties, (CookieRetrievingCookieGenerator) this.ticketGrantingTicketCookieGenerator.getIfAvailable());
    }

    @Autowired
    @RefreshScope
    @Bean
    public OidcWellKnownEndpointController oidcWellKnownController(@Qualifier("oidcServerDiscoverySettingsFactory") OidcServerDiscoverySettings oidcServerDiscoverySettings) {
        return new OidcWellKnownEndpointController((ServicesManager) this.servicesManager.getIfAvailable(), (TicketRegistry) this.ticketRegistry.getIfAvailable(), (AccessTokenFactory) this.defaultAccessTokenFactory.getIfAvailable(), oidcPrincipalFactory(), (ServiceFactory) this.webApplicationServiceFactory.getIfAvailable(), oidcServerDiscoverySettings, profileScopeToAttributesFilter(), this.casProperties, (CookieRetrievingCookieGenerator) this.ticketGrantingTicketCookieGenerator.getIfAvailable(), new OidcWebFingerDiscoveryService(oidcWebFingerUserInfoRepository(), oidcServerDiscoverySettings));
    }

    @ConditionalOnMissingBean(name = {"oidcWebFingerUserInfoRepository"})
    @Bean
    public OidcWebFingerUserInfoRepository oidcWebFingerUserInfoRepository() {
        OidcWebFingerProperties.UserInfoRepository userInfo = this.casProperties.getAuthn().getOidc().getWebfinger().getUserInfo();
        if (userInfo.getGroovy().getLocation() != null) {
            return new OidcGroovyWebFingerUserInfoRepository(userInfo.getGroovy().getLocation());
        }
        if (StringUtils.isNotBlank(userInfo.getRest().getUrl())) {
            return new OidcRestfulWebFingerUserInfoRepository(userInfo.getRest());
        }
        LOGGER.warn("Using [{}] to locate webfinger resources, which is NOT appropriate for production purposes, as it will always echo back the given username/email address and is only useful for testing/demo purposes. Consider choosing and configuring a different repository implementation for locating and fetching user information for webfinger resources, etc.", OidcEchoingWebFingerUserInfoRepository.class.getSimpleName());
        return new OidcEchoingWebFingerUserInfoRepository();
    }

    @RefreshScope
    @Bean
    public OidcUserProfileEndpointController oidcProfileController() {
        return new OidcUserProfileEndpointController((ServicesManager) this.servicesManager.getIfAvailable(), (TicketRegistry) this.ticketRegistry.getIfAvailable(), (AccessTokenFactory) this.defaultAccessTokenFactory.getIfAvailable(), oidcPrincipalFactory(), (ServiceFactory) this.webApplicationServiceFactory.getIfAvailable(), profileScopeToAttributesFilter(), this.casProperties, (CookieRetrievingCookieGenerator) this.ticketGrantingTicketCookieGenerator.getIfAvailable(), (OAuth20UserProfileViewRenderer) this.oauthUserProfileViewRenderer.getIfAvailable(), oidcUserProfileDataCreator());
    }

    @Bean
    public OAuth20UserProfileDataCreator oidcUserProfileDataCreator() {
        return new OidcUserProfileDataCreator((ServicesManager) this.servicesManager.getIfAvailable(), profileScopeToAttributesFilter());
    }

    @RefreshScope
    @Bean
    public OidcAuthorizeEndpointController oidcAuthorizeController() {
        return new OidcAuthorizeEndpointController((ServicesManager) this.servicesManager.getIfAvailable(), (TicketRegistry) this.ticketRegistry.getIfAvailable(), (AccessTokenFactory) this.defaultAccessTokenFactory.getIfAvailable(), oidcPrincipalFactory(), (ServiceFactory) this.webApplicationServiceFactory.getIfAvailable(), (OAuthCodeFactory) this.defaultOAuthCodeFactory.getIfAvailable(), consentApprovalViewResolver(), profileScopeToAttributesFilter(), this.casProperties, (CookieRetrievingCookieGenerator) this.ticketGrantingTicketCookieGenerator.getIfAvailable(), (OAuth20CasAuthenticationBuilder) this.authenticationBuilder.getIfAvailable(), (Set) this.oauthAuthorizationResponseBuilders.getIfAvailable(), (Set) this.oauthRequestValidators.getIfAvailable(), (AuditableExecution) this.registeredServiceAccessStrategyEnforcer.getIfAvailable());
    }

    @RefreshScope
    @Bean
    public MultifactorAuthenticationTrigger oidcMultifactorAuthenticationTrigger() {
        return new OidcMultifactorAuthenticationTrigger(this.casProperties, (MultifactorAuthenticationProviderResolver) this.multifactorAuthenticationProviderResolver.getIfAvailable());
    }

    @RefreshScope
    @Bean
    public CasWebflowEventResolver oidcAuthenticationContextWebflowEventResolver() {
        DefaultMultifactorAuthenticationProviderEventResolver defaultMultifactorAuthenticationProviderEventResolver = new DefaultMultifactorAuthenticationProviderEventResolver((AuthenticationSystemSupport) this.authenticationSystemSupport.getIfAvailable(), (CentralAuthenticationService) this.centralAuthenticationService.getIfAvailable(), (ServicesManager) this.servicesManager.getIfAvailable(), (TicketRegistrySupport) this.ticketRegistrySupport.getIfAvailable(), (CookieGenerator) this.warnCookieGenerator.getIfAvailable(), (AuthenticationServiceSelectionPlan) this.authenticationRequestServiceSelectionStrategies.getIfAvailable(), (MultifactorAuthenticationProviderSelector) this.multifactorAuthenticationProviderSelector.getIfAvailable(), oidcMultifactorAuthenticationTrigger(), this.applicationEventPublisher, this.applicationContext);
        ((CasDelegatingWebflowEventResolver) this.initialAuthenticationAttemptWebflowEventResolver.getIfAvailable()).addDelegate(defaultMultifactorAuthenticationProviderEventResolver);
        return defaultMultifactorAuthenticationProviderEventResolver;
    }

    @ConditionalOnMissingBean(name = {"oidcWebflowConfigurer"})
    @DependsOn({"defaultWebflowConfigurer"})
    @Bean
    public CasWebflowConfigurer oidcWebflowConfigurer() {
        OidcWebflowConfigurer oidcWebflowConfigurer = new OidcWebflowConfigurer((FlowBuilderServices) this.flowBuilderServices.getIfAvailable(), (FlowDefinitionRegistry) this.loginFlowDefinitionRegistry.getIfAvailable(), oidcRegisteredServiceUIAction(), this.applicationContext, this.casProperties);
        oidcWebflowConfigurer.setLogoutFlowDefinitionRegistry((FlowDefinitionRegistry) this.logoutFlowDefinitionRegistry.getIfAvailable());
        return oidcWebflowConfigurer;
    }

    @ConditionalOnMissingBean(name = {"oidcRegisteredServiceUIAction"})
    @Bean
    public Action oidcRegisteredServiceUIAction() {
        return new OidcRegisteredServiceUIAction((ServicesManager) this.servicesManager.getIfAvailable(), (AuthenticationServiceSelectionStrategy) this.oauth20AuthenticationServiceSelectionStrategy.getIfAvailable());
    }

    @Bean
    public OidcTokenSigningAndEncryptionService oidcTokenSigningAndEncryptionService() {
        return new OidcIdTokenSigningAndEncryptionService(oidcDefaultJsonWebKeystoreCache(), oidcServiceJsonWebKeystoreCache(), this.casProperties.getAuthn().getOidc().getIssuer());
    }

    @Bean
    public LoadingCache<OidcRegisteredService, Optional<RsaJsonWebKey>> oidcServiceJsonWebKeystoreCache() {
        return Caffeine.newBuilder().maximumSize(1L).expireAfterWrite(this.casProperties.getAuthn().getOidc().getJwksCacheInMinutes(), TimeUnit.MINUTES).build(oidcServiceJsonWebKeystoreCacheLoader());
    }

    @Bean
    public LoadingCache<String, Optional<RsaJsonWebKey>> oidcDefaultJsonWebKeystoreCache() {
        return Caffeine.newBuilder().maximumSize(1L).expireAfterWrite(this.casProperties.getAuthn().getOidc().getJwksCacheInMinutes(), TimeUnit.MINUTES).build(oidcDefaultJsonWebKeystoreCacheLoader());
    }

    @Bean
    public OidcDefaultJsonWebKeystoreCacheLoader oidcDefaultJsonWebKeystoreCacheLoader() {
        return new OidcDefaultJsonWebKeystoreCacheLoader(this.casProperties.getAuthn().getOidc().getJwksFile());
    }

    @Bean
    public CacheLoader<OidcRegisteredService, Optional<RsaJsonWebKey>> oidcServiceJsonWebKeystoreCacheLoader() {
        return new OidcServiceJsonWebKeystoreCacheLoader(this.resourceLoader);
    }

    @ConditionalOnMissingBean(name = {"oidcServerDiscoverySettingsFactory"})
    @Bean
    public FactoryBean<OidcServerDiscoverySettings> oidcServerDiscoverySettingsFactory() {
        return new OidcServerDiscoverySettingsFactory(this.casProperties);
    }

    @ConditionalOnMissingBean(name = {"oidcJsonWebKeystoreGeneratorService"})
    @RefreshScope
    @Bean
    public OidcJsonWebKeystoreGeneratorService oidcJsonWebKeystoreGeneratorService() {
        OidcJsonWebKeystoreGeneratorService oidcJsonWebKeystoreGeneratorService = new OidcJsonWebKeystoreGeneratorService(this.casProperties.getAuthn().getOidc());
        oidcJsonWebKeystoreGeneratorService.generate();
        return oidcJsonWebKeystoreGeneratorService;
    }

    @Bean
    public HandlerInterceptorAdapter oauthInterceptor() {
        return new OidcHandlerInterceptorAdapter((HandlerInterceptorAdapter) this.requiresAuthenticationAccessTokenInterceptor.getIfAvailable(), requiresAuthenticationAuthorizeInterceptor(), requiresAuthenticationDynamicRegistrationInterceptor(), OidcConstants.DynamicClientRegistrationMode.valueOf((String) StringUtils.defaultIfBlank(this.casProperties.getAuthn().getOidc().getDynamicClientRegistrationMode(), OidcConstants.DynamicClientRegistrationMode.PROTECTED.name())), (Collection) this.accessTokenGrantRequestExtractors.getIfAvailable());
    }

    @RefreshScope
    @Bean
    public Collection<BaseOidcScopeAttributeReleasePolicy> userDefinedScopeBasedAttributeReleasePolicies() {
        return (Collection) this.casProperties.getAuthn().getOidc().getUserDefinedScopes().entrySet().stream().map(entry -> {
            return new OidcCustomScopeAttributeReleasePolicy((String) entry.getKey(), CollectionUtils.wrapList(((String) entry.getValue()).split(",")));
        }).collect(Collectors.toSet());
    }

    @Bean
    public OidcRegisteredServicePreProcessorEventListener oidcRegisteredServicePreProcessorEventListener() {
        return new OidcRegisteredServicePreProcessorEventListener(profileScopeToAttributesFilter());
    }

    @Bean
    public OAuth20AuthorizationResponseBuilder oidcImplicitIdTokenCallbackUrlBuilder() {
        return new OidcImplicitIdTokenAuthorizationResponseBuilder(oidcIdTokenGenerator(), (OAuth20TokenGenerator) this.oauthTokenGenerator.getIfAvailable(), (ExpirationPolicy) this.accessTokenExpirationPolicy.getIfAvailable(), (ExpirationPolicy) this.grantingTicketExpirationPolicy.getIfAvailable());
    }

    @Bean
    public RegisteredServiceCipherExecutor oauthRegisteredServiceJwtAccessTokenCipherExecutor() {
        return new OidcRegisteredServiceJWTAccessTokenCipherExecutor(oidcDefaultJsonWebKeystoreCache(), oidcServiceJsonWebKeystoreCache(), this.casProperties.getAuthn().getOidc().getIssuer());
    }

    public void configureWebflowExecutionPlan(CasWebflowExecutionPlan casWebflowExecutionPlan) {
        casWebflowExecutionPlan.registerWebflowConfigurer(oidcWebflowConfigurer());
    }
}
