package io.micronaut.security.oauth2.endpoint.token.response.validation;

import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jwt.JWT;
import edu.umd.cs.findbugs.annotations.Nullable;
import io.micronaut.security.oauth2.client.OpenIdProviderMetadata;
import io.micronaut.security.oauth2.configuration.OauthClientConfiguration;
import io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims;
import io.micronaut.security.oauth2.endpoint.token.response.OpenIdTokenResponse;
import io.micronaut.security.token.jwt.signature.SignatureConfiguration;
import io.micronaut.security.token.jwt.signature.jwks.JwkValidator;
import io.micronaut.security.token.jwt.signature.jwks.JwksSignature;
import io.micronaut.security.token.jwt.validator.GenericJwtClaimsValidator;
import io.micronaut.security.token.jwt.validator.JwtValidator;
import java.text.ParseException;
import java.util.Collection;
import java.util.Optional;
import javax.inject.Singleton;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:io/micronaut/security/oauth2/endpoint/token/response/validation/DefaultOpenIdTokenResponseValidator.class */
public class DefaultOpenIdTokenResponseValidator implements OpenIdTokenResponseValidator {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultOpenIdTokenResponseValidator.class);
    private final Collection<OpenIdClaimsValidator> openIdClaimsValidators;
    private final Collection<GenericJwtClaimsValidator> genericJwtClaimsValidators;
    private final NonceClaimValidator nonceClaimValidator;
    private final JwkValidator jwkValidator;

    public DefaultOpenIdTokenResponseValidator(Collection<OpenIdClaimsValidator> collection, Collection<GenericJwtClaimsValidator> collection2, NonceClaimValidator nonceClaimValidator, JwkValidator jwkValidator) {
        this.openIdClaimsValidators = collection;
        this.genericJwtClaimsValidators = collection2;
        this.nonceClaimValidator = nonceClaimValidator;
        this.jwkValidator = jwkValidator;
    }

    @Override // io.micronaut.security.oauth2.endpoint.token.response.validation.OpenIdTokenResponseValidator
    public Optional<JWT> validate(OauthClientConfiguration oauthClientConfiguration, OpenIdProviderMetadata openIdProviderMetadata, OpenIdTokenResponse openIdTokenResponse, @Nullable String str) {
        if (LOG.isTraceEnabled()) {
            LOG.trace("Validating the JWT signature using the JWKS uri [{}]", openIdProviderMetadata.getJwksUri());
        }
        Optional<JWT> validate = JwtValidator.builder().withSignatures(new SignatureConfiguration[]{new JwksSignature(openIdProviderMetadata.getJwksUri(), (KeyType) null, this.jwkValidator)}).build().validate(openIdTokenResponse.getIdToken());
        if (validate.isPresent()) {
            try {
                if (LOG.isTraceEnabled()) {
                    LOG.trace("JWT signature validation succeeded. Validating claims...");
                }
                JWTOpenIdClaims jWTOpenIdClaims = new JWTOpenIdClaims(validate.get().getJWTClaimsSet());
                if (this.genericJwtClaimsValidators.stream().allMatch(genericJwtClaimsValidator -> {
                    return genericJwtClaimsValidator.validate(jWTOpenIdClaims);
                })) {
                    if (this.openIdClaimsValidators.stream().allMatch(openIdClaimsValidator -> {
                        return openIdClaimsValidator.validate(jWTOpenIdClaims, oauthClientConfiguration, openIdProviderMetadata);
                    })) {
                        if (this.nonceClaimValidator.validate(jWTOpenIdClaims, oauthClientConfiguration, openIdProviderMetadata, str)) {
                            return validate;
                        }
                    } else if (LOG.isErrorEnabled()) {
                        LOG.error("JWT OpenID specific claims validation failed for provider [{}]", oauthClientConfiguration.getName());
                    }
                } else if (LOG.isErrorEnabled()) {
                    LOG.error("JWT generic claims validation failed for provider [{}]", oauthClientConfiguration.getName());
                }
            } catch (ParseException e) {
                if (LOG.isErrorEnabled()) {
                    LOG.error("Failed to parse the JWT returned from provider [{}]", oauthClientConfiguration.getName(), e);
                }
            }
        } else if (LOG.isErrorEnabled()) {
            LOG.error("JWT signature validation failed for provider [{}]", oauthClientConfiguration.getName());
        }
        return Optional.empty();
    }
}
