package com.okta.jwt.impl;

import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import java.util.List;
import java.util.Map;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:com/okta/jwt/impl/OktaJWTClaimsVerifier.class */
public class OktaJWTClaimsVerifier<C extends SecurityContext> extends DefaultJWTClaimsVerifier<C> {
    private static final String CID_CLAIM = "cid";
    private final String issuer;
    private final String audience;
    private final String clientId;

    public OktaJWTClaimsVerifier(String str, String str2, String str3) {
        this.issuer = str;
        this.audience = str2;
        this.clientId = str3;
    }

    public void verify(JWTClaimsSet jWTClaimsSet, C c) throws BadJWTException {
        String str;
        Assert.notNull(jWTClaimsSet, "JWTClaimsSet cannot be null");
        super.verify(jWTClaimsSet, c);
        str = "access_token";
        String str2 = null;
        if (c instanceof Map) {
            Map map = (Map) c;
            Object obj = map.get("token_type");
            str = obj != null ? obj.toString() : "access_token";
            str2 = (String) map.get("nonce");
        }
        Object obj2 = jWTClaimsSet.getClaims().get("iss");
        if (!this.issuer.equals(obj2)) {
            throw new BadJWTException(String.format("Failed to validate jwt string, invalid issuer, expected '%s', found '%s'", this.issuer, obj2));
        }
        if ("access_token".equals(str)) {
            List audience = jWTClaimsSet.getAudience();
            if (CollectionUtils.isEmpty(audience) || !audience.contains(this.audience)) {
                throw new BadJWTException(String.format("Failed to validate jwt string, invalid audience claim 'aud', expected '%s', but found '%s'", this.audience, audience));
            }
            if (StringUtils.isNotEmpty(this.clientId)) {
                Object claim = jWTClaimsSet.getClaim(CID_CLAIM);
                if (!this.clientId.equals(claim)) {
                    throw new BadJWTException(String.format("Failed to validate jwt string, invalid clientId found in claim 'cid', expected '%s', but found '%s'", this.clientId, claim));
                }
                return;
            }
            return;
        }
        if (!"id_token".equals(str)) {
            throw new BadJWTException(String.format("Unknown token type: '%s'", str));
        }
        Assert.notNull(this.clientId, "An OAuth clientId must be specified when validating ID Tokens.");
        List audience2 = jWTClaimsSet.getAudience();
        if (CollectionUtils.isEmpty(audience2) || !audience2.contains(this.clientId)) {
            throw new BadJWTException(String.format("Failed to validate jwt string, invalid clientId found in claim 'aud', expected '%s', but found '%s'", this.clientId, audience2));
        }
        Object claim2 = jWTClaimsSet.getClaim("nonce");
        if (str2 != null && !str2.equals(claim2)) {
            throw new BadJWTException(String.format("Invalid nonce found in ID Token, expected '%s', but found '%s'", str2, claim2));
        }
        if (jWTClaimsSet.getSubject() == null) {
            throw new BadJWTException("Invalid ID Token, missing subject claim ('sub')");
        }
    }
}
