package io.micronaut.security.oauth2.endpoint.token.response.validation;

import io.micronaut.context.annotation.Requires;
import io.micronaut.security.oauth2.client.OpenIdProviderMetadata;
import io.micronaut.security.oauth2.configuration.OauthClientConfiguration;
import io.micronaut.security.oauth2.endpoint.token.response.OpenIdClaims;
import jakarta.inject.Singleton;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
@Requires(property = "micronaut.security.oauth2.openid.claims-validation.audience", notEquals = "false")
/* loaded from: input_file:io/micronaut/security/oauth2/endpoint/token/response/validation/AudienceClaimValidator.class */
public class AudienceClaimValidator implements OpenIdClaimsValidator {
    private static final Logger LOG = LoggerFactory.getLogger(AudienceClaimValidator.class);

    @Override // io.micronaut.security.oauth2.endpoint.token.response.validation.OpenIdClaimsValidator
    public boolean validate(OpenIdClaims openIdClaims, OauthClientConfiguration oauthClientConfiguration, OpenIdProviderMetadata openIdProviderMetadata) {
        List<String> audience = openIdClaims.getAudience();
        if (!audience.stream().anyMatch(str -> {
            return str.equals(oauthClientConfiguration.getClientId());
        })) {
            if (!LOG.isTraceEnabled()) {
                return false;
            }
            LOG.trace("JWT validation failed for provider [{}]. Audience claims does not contain [{}]", oauthClientConfiguration.getName(), oauthClientConfiguration.getClientId());
            return false;
        }
        if (audience.size() <= 1 || openIdClaims.getAuthorizedParty() != null) {
            return true;
        }
        if (!LOG.isTraceEnabled()) {
            return false;
        }
        LOG.trace("JWT validation failed for provider [{}]. Multiple audience claims present but no authorized party", oauthClientConfiguration.getName());
        return false;
    }
}
