package org.springframework.security.oauth2.oidc.client.authentication;

import org.springframework.security.jwt.Jwt;
import org.springframework.security.jwt.JwtDecoder;
import org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationToken;
import org.springframework.security.oauth2.client.authentication.AuthorizationGrantAuthenticator;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationException;
import org.springframework.security.oauth2.client.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.client.authentication.jwt.JwtDecoderRegistry;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.web.AuthorizationGrantTokenExchanger;
import org.springframework.security.oauth2.core.AccessToken;
import org.springframework.security.oauth2.core.endpoint.TokenResponse;
import org.springframework.security.oauth2.oidc.core.IdToken;
import org.springframework.util.Assert;

/* loaded from: input_file:org/springframework/security/oauth2/oidc/client/authentication/OidcAuthorizationCodeAuthenticator.class */
public class OidcAuthorizationCodeAuthenticator implements AuthorizationGrantAuthenticator<AuthorizationCodeAuthenticationToken> {
    private final AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger;
    private final JwtDecoderRegistry jwtDecoderRegistry;

    public OidcAuthorizationCodeAuthenticator(AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken> authorizationGrantTokenExchanger, JwtDecoderRegistry jwtDecoderRegistry) {
        Assert.notNull(authorizationGrantTokenExchanger, "authorizationCodeTokenExchanger cannot be null");
        Assert.notNull(jwtDecoderRegistry, "jwtDecoderRegistry cannot be null");
        this.authorizationCodeTokenExchanger = authorizationGrantTokenExchanger;
        this.jwtDecoderRegistry = jwtDecoderRegistry;
    }

    @Override // org.springframework.security.oauth2.client.authentication.AuthorizationGrantAuthenticator
    public OAuth2ClientAuthenticationToken authenticate(AuthorizationCodeAuthenticationToken authorizationCodeAuthenticationToken) throws OAuth2AuthenticationException {
        if (!authorizationCodeAuthenticationToken.getAuthorizationRequest().getScope().contains("openid")) {
            return null;
        }
        ClientRegistration clientRegistration = authorizationCodeAuthenticationToken.getClientRegistration();
        TokenResponse exchange = this.authorizationCodeTokenExchanger.exchange(authorizationCodeAuthenticationToken);
        AccessToken accessToken = new AccessToken(exchange.getTokenType(), exchange.getTokenValue(), exchange.getIssuedAt(), exchange.getExpiresAt(), exchange.getScope());
        if (!exchange.getAdditionalParameters().containsKey("id_token")) {
            throw new IllegalArgumentException("Missing (required) ID Token in Token Response for Client Registration: '" + clientRegistration.getRegistrationId() + "'");
        }
        JwtDecoder jwtDecoder = this.jwtDecoderRegistry.getJwtDecoder(clientRegistration);
        if (jwtDecoder == null) {
            throw new IllegalArgumentException("Unable to find a registered JwtDecoder for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured the JwkSet URI.");
        }
        Jwt decode = jwtDecoder.decode((String) exchange.getAdditionalParameters().get("id_token"));
        OidcClientAuthenticationToken oidcClientAuthenticationToken = new OidcClientAuthenticationToken(clientRegistration, accessToken, new IdToken(decode.getTokenValue(), decode.getIssuedAt(), decode.getExpiresAt(), decode.getClaims()));
        oidcClientAuthenticationToken.setDetails(authorizationCodeAuthenticationToken.getDetails());
        return oidcClientAuthenticationToken;
    }
}
