package org.pac4j.oidc.client;

import com.nimbusds.jose.JWEDecrypter;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.ReadOnlyJWTClaimsSet;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCAccessTokenResponse;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
import com.nimbusds.openid.connect.sdk.UserInfoRequest;
import com.nimbusds.openid.connect.sdk.UserInfoResponse;
import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import com.nimbusds.openid.connect.sdk.util.DefaultJWTDecoder;
import com.nimbusds.openid.connect.sdk.util.DefaultResourceRetriever;
import java.net.URI;
import java.net.URL;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.util.HashMap;
import java.util.Map;
import org.pac4j.core.client.BaseClient;
import org.pac4j.core.client.Mechanism;
import org.pac4j.core.client.RedirectAction;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.exception.RequiresHttpAction;
import org.pac4j.core.exception.TechnicalException;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.oidc.credentials.OidcCredentials;
import org.pac4j.oidc.profile.OidcProfile;

/* loaded from: input_file:org/pac4j/oidc/client/OidcClient.class */
public class OidcClient extends BaseClient<OidcCredentials, OidcProfile> {
    private static final String USE_NONCE_PARAM = "useNonce";
    private static final String STATE_ATTRIBUTE = "oidcStateAttribute";
    private static final String NONCE_ATTRIBUTE = "oidcNonceAttribute";
    private String clientId;
    private String secret;
    private URI redirectURI;
    private String discoveryURI;
    private DefaultJWTDecoder jwtDecoder;
    private OIDCProviderMetadata oidcProvider;
    private Map<String, String> authParams;
    private final Map<String, String> customParams = new HashMap();
    private ClientAuthentication clientAuthentication;
    private ClientID _clientID;
    private Secret _secret;

    public Mechanism getMechanism() {
        return Mechanism.OPENID_CONNECT_PROTOCOL;
    }

    public void setDiscoveryURI(String str) {
        this.discoveryURI = str;
    }

    public void setClientID(String str) {
        this.clientId = str;
    }

    public void setSecret(String str) {
        this.secret = str;
    }

    public void addCustomParam(String str, String str2) {
        this.customParams.put(str, str2);
    }

    protected void internalInit() {
        CommonHelper.assertNotBlank(this.clientId, "clientID cannot be blank");
        CommonHelper.assertNotBlank(this.secret, "secret cannot be blank");
        CommonHelper.assertNotBlank(this.discoveryURI, "discoveryURI cannot be blank");
        this.authParams = new HashMap();
        this.authParams.put("scope", "openid profile email");
        this.authParams.put("response_type", "code");
        this.authParams.put("redirect_uri", getCallbackUrl());
        this.authParams.putAll(this.customParams);
        this.authParams.put("client_id", this.clientId);
        this.authParams.put("client_secret", this.secret);
        this._clientID = new ClientID(this.clientId);
        this._secret = new Secret(this.secret);
        try {
            DefaultResourceRetriever defaultResourceRetriever = new DefaultResourceRetriever();
            this.oidcProvider = OIDCProviderMetadata.parse(defaultResourceRetriever.retrieveResource(new URL(this.discoveryURI)).getContent());
            JWKSet parse = JWKSet.parse(defaultResourceRetriever.retrieveResource(this.oidcProvider.getJWKSetURI().toURL()).getContent());
            this.redirectURI = new URI(getCallbackUrl());
            this.clientAuthentication = getClientAuthentication(getClientAuthenticationMethod());
            this.jwtDecoder = new DefaultJWTDecoder();
            initJwtDecoder(this.jwtDecoder, parse);
        } catch (Exception e) {
            throw new TechnicalException(e);
        }
    }

    protected BaseClient<OidcCredentials, OidcProfile> newClient() {
        OidcClient oidcClient = new OidcClient();
        oidcClient.setClientID(this.clientId);
        oidcClient.setSecret(this.secret);
        oidcClient.setDiscoveryURI(this.discoveryURI);
        oidcClient.setAuthParams(this.authParams);
        return oidcClient;
    }

    protected boolean isDirectRedirection() {
        return true;
    }

    protected RedirectAction retrieveRedirectAction(WebContext webContext) {
        HashMap hashMap = new HashMap(this.authParams);
        State state = new State();
        hashMap.put("state", state.getValue());
        webContext.setSessionAttribute(STATE_ATTRIBUTE, state);
        if (useNonce()) {
            Nonce nonce = new Nonce();
            hashMap.put("nonce", nonce.getValue());
            webContext.setSessionAttribute(NONCE_ATTRIBUTE, nonce.getValue());
        }
        try {
            String str = this.oidcProvider.getAuthorizationEndpointURI().toString() + "?" + AuthenticationRequest.parse(hashMap).toQueryString();
            logger.debug("Authentication request url : {}", str);
            return RedirectAction.redirect(str);
        } catch (Exception e) {
            throw new TechnicalException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* renamed from: retrieveCredentials, reason: merged with bridge method [inline-methods] */
    public OidcCredentials m0retrieveCredentials(WebContext webContext) throws RequiresHttpAction {
        try {
            AuthenticationErrorResponse parse = AuthenticationResponseParser.parse(this.redirectURI, toSingleParameter(webContext.getRequestParameters()));
            if (parse instanceof AuthenticationErrorResponse) {
                logger.error("Bad authentication response, error={}", parse.getErrorObject());
                return null;
            }
            logger.debug("Authentication response successful, get authorization code");
            AuthenticationSuccessResponse authenticationSuccessResponse = (AuthenticationSuccessResponse) parse;
            if (authenticationSuccessResponse.getState().equals(webContext.getSessionAttribute(STATE_ATTRIBUTE))) {
                return new OidcCredentials(authenticationSuccessResponse.getAuthorizationCode());
            }
            throw new TechnicalException("State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery");
        } catch (ParseException e) {
            throw new TechnicalException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public OidcProfile retrieveUserProfile(OidcCredentials oidcCredentials, WebContext webContext) {
        String stringClaim;
        try {
            HTTPResponse send = new TokenRequest(this.oidcProvider.getTokenEndpointURI(), this.clientAuthentication, new AuthorizationCodeGrant(oidcCredentials.getCode(), this.redirectURI, this.clientAuthentication.getClientID())).toHTTPRequest().send();
            logger.debug("Token response: status={}, content={}", Integer.valueOf(send.getStatusCode()), send.getContent());
            TokenErrorResponse parse = OIDCTokenResponseParser.parse(send);
            if (parse instanceof TokenErrorResponse) {
                logger.error("Bad token response, error={}", parse.getErrorObject());
                return null;
            }
            logger.debug("Token response successful");
            OIDCAccessTokenResponse oIDCAccessTokenResponse = (OIDCAccessTokenResponse) parse;
            BearerAccessToken accessToken = oIDCAccessTokenResponse.getAccessToken();
            UserInfo userInfo = null;
            if (this.oidcProvider.getUserInfoEndpointURI() != null) {
                HTTPResponse send2 = new UserInfoRequest(this.oidcProvider.getUserInfoEndpointURI(), accessToken).toHTTPRequest().send();
                logger.debug("Token response: status={}, content={}", Integer.valueOf(send2.getStatusCode()), send2.getContent());
                UserInfoErrorResponse parse2 = UserInfoResponse.parse(send2);
                if (parse2 instanceof UserInfoErrorResponse) {
                    logger.error("Bad User Info response, error={}", parse2.getErrorObject());
                } else {
                    userInfo = ((UserInfoSuccessResponse) parse2).getUserInfo();
                }
            }
            ReadOnlyJWTClaimsSet decodeJWT = this.jwtDecoder.decodeJWT(oIDCAccessTokenResponse.getIDToken());
            if (useNonce() && ((stringClaim = decodeJWT.getStringClaim("nonce")) == null || !stringClaim.equals(webContext.getSessionAttribute(NONCE_ATTRIBUTE)))) {
                throw new TechnicalException("A nonce was sent in the authentication request but it is missing or different in the ID Token. Session expired or possible threat of cross-site request forgery");
            }
            OidcProfile oidcProfile = new OidcProfile(accessToken);
            oidcProfile.setId(decodeJWT.getSubject());
            oidcProfile.addAttributes(decodeJWT.getAllClaims());
            oidcProfile.addAttributes(userInfo.toJWTClaimsSet().getAllClaims());
            return oidcProfile;
        } catch (Exception e) {
            throw new TechnicalException(e);
        }
    }

    private ClientAuthenticationMethod getClientAuthenticationMethod() {
        return (this.oidcProvider.getTokenEndpointAuthMethods() == null || this.oidcProvider.getTokenEndpointAuthMethods().size() <= 0) ? ClientAuthenticationMethod.getDefault() : (ClientAuthenticationMethod) this.oidcProvider.getTokenEndpointAuthMethods().get(0);
    }

    private boolean useNonce() {
        return Boolean.parseBoolean(this.authParams.get(USE_NONCE_PARAM));
    }

    private void initJwtDecoder(DefaultJWTDecoder defaultJWTDecoder, JWKSet jWKSet) {
        try {
            for (JWK jwk : jWKSet.getKeys()) {
                if (jwk.getKeyUse() == KeyUse.SIGNATURE) {
                    defaultJWTDecoder.addJWSVerifier(getVerifier(jwk));
                } else if (jwk.getKeyUse() == KeyUse.ENCRYPTION) {
                    defaultJWTDecoder.addJWEDecrypter(getDecrypter(jwk));
                }
            }
        } catch (Exception e) {
            throw new TechnicalException(e);
        }
    }

    private JWEDecrypter getDecrypter(JWK jwk) throws NoSuchAlgorithmException, InvalidKeySpecException {
        if (jwk instanceof RSAKey) {
            return new RSADecrypter(((RSAKey) jwk).toRSAPrivateKey());
        }
        return null;
    }

    private JWSVerifier getVerifier(JWK jwk) throws NoSuchAlgorithmException, InvalidKeySpecException {
        if (jwk instanceof RSAKey) {
            return new RSASSAVerifier(((RSAKey) jwk).toRSAPublicKey());
        }
        if (!(jwk instanceof ECKey)) {
            return null;
        }
        ECKey eCKey = (ECKey) jwk;
        return new ECDSAVerifier(eCKey.getX().decodeToBigInteger(), eCKey.getY().decodeToBigInteger());
    }

    private ClientAuthentication getClientAuthentication(ClientAuthenticationMethod clientAuthenticationMethod) {
        if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientAuthenticationMethod)) {
            return new ClientSecretPost(this._clientID, this._secret);
        }
        if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientAuthenticationMethod)) {
            return new ClientSecretBasic(this._clientID, this._secret);
        }
        return null;
    }

    private Map<String, String> toSingleParameter(Map<String, String[]> map) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, String[]> entry : map.entrySet()) {
            hashMap.put(entry.getKey(), entry.getValue()[0]);
        }
        return hashMap;
    }

    private void setAuthParams(Map<String, String> map) {
        this.authParams = map;
    }
}
