package org.pac4j.oidc.client.azuread;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
import java.text.ParseException;
import org.pac4j.oidc.profile.azuread.AzureAdProfileDefinition;

/* loaded from: input_file:BOOT-INF/lib/pac4j-oidc-2.2.0.jar:org/pac4j/oidc/client/azuread/AzureAdIdTokenValidator.class */
public class AzureAdIdTokenValidator extends IDTokenValidator {
    private IDTokenValidator base;
    private String originalIssuer;

    public AzureAdIdTokenValidator(IDTokenValidator iDTokenValidator) {
        super(iDTokenValidator.getExpectedIssuer(), iDTokenValidator.getClientID());
        this.base = iDTokenValidator;
        this.originalIssuer = iDTokenValidator.getExpectedIssuer().getValue();
    }

    @Override // com.nimbusds.openid.connect.sdk.validators.IDTokenValidator
    public IDTokenClaimsSet validate(JWT jwt, Nonce nonce) throws BadJOSEException, JOSEException {
        try {
            if (this.originalIssuer.contains("%7Btenantid%7D")) {
                Object claim = jwt.getJWTClaimsSet().getClaim(AzureAdProfileDefinition.TID);
                if (claim == null) {
                    throw new BadJWTException("ID token does not contain the 'tid' claim");
                }
                this.base = new IDTokenValidator(new Issuer(this.originalIssuer.replace("%7Btenantid%7D", claim.toString())), this.base.getClientID(), this.base.getJWSKeySelector(), this.base.getJWEKeySelector());
                this.base.setMaxClockSkew(getMaxClockSkew());
            }
            return this.base.validate(jwt, nonce);
        } catch (ParseException e) {
            throw new BadJWTException(e.getMessage(), e);
        }
    }
}
