package org.springframework.security.oauth2.server.authorization.authentication;

import java.util.Set;
import java.util.function.Consumer;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.log.LogMessage;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationValidator.class */
public final class OAuth2ClientCredentialsAuthenticationValidator implements Consumer<OAuth2ClientCredentialsAuthenticationContext> {
    private static final Log LOGGER = LogFactory.getLog(OAuth2ClientCredentialsAuthenticationValidator.class);
    public static final Consumer<OAuth2ClientCredentialsAuthenticationContext> DEFAULT_SCOPE_VALIDATOR = OAuth2ClientCredentialsAuthenticationValidator::validateScope;
    private final Consumer<OAuth2ClientCredentialsAuthenticationContext> authenticationValidator = DEFAULT_SCOPE_VALIDATOR;

    @Override // java.util.function.Consumer
    public void accept(OAuth2ClientCredentialsAuthenticationContext oAuth2ClientCredentialsAuthenticationContext) {
        this.authenticationValidator.accept(oAuth2ClientCredentialsAuthenticationContext);
    }

    private static void validateScope(OAuth2ClientCredentialsAuthenticationContext oAuth2ClientCredentialsAuthenticationContext) {
        OAuth2ClientCredentialsAuthenticationToken authentication = oAuth2ClientCredentialsAuthenticationContext.getAuthentication();
        RegisteredClient registeredClient = oAuth2ClientCredentialsAuthenticationContext.getRegisteredClient();
        Set<String> scopes = authentication.getScopes();
        Set<String> scopes2 = registeredClient.getScopes();
        if (scopes.isEmpty() || scopes2.containsAll(scopes)) {
            return;
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug(LogMessage.format("Invalid request: requested scope is not allowed for registered client '%s'", registeredClient.getId()));
        }
        throw new OAuth2AuthenticationException("invalid_scope");
    }
}
