package com.okta.jwt;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.util.DefaultResourceRetriever;
import com.nimbusds.jose.util.IOUtils;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import com.okta.jwt.impl.NimbusJwtVerifier;
import com.okta.jwt.impl.OktaJWTClaimsVerifier;
import java.io.IOException;
import java.net.URI;
import java.net.URL;
import java.nio.charset.StandardCharsets;

/* loaded from: input_file:com/okta/jwt/JwtHelper.class */
public final class JwtHelper {
    private String issuerUrl;
    private String clientId;
    private String audience = "api://default";
    private int connectionTimeout = 1000;
    private int readTimeout = 1000;

    public JwtHelper setIssuerUrl(String str) {
        String str2 = str;
        if (str2 != null) {
            str2 = str2.replaceAll("/$", "");
        }
        this.issuerUrl = str2;
        return this;
    }

    public JwtHelper setAudience(String str) {
        this.audience = str;
        return this;
    }

    public JwtHelper setClientId(String str) {
        this.clientId = str;
        return this;
    }

    public JwtHelper setConnectionTimeout(int i) {
        this.connectionTimeout = i;
        return this;
    }

    public JwtHelper setReadTimeout(int i) {
        this.readTimeout = i;
        return this;
    }

    public JwtVerifier build() throws IOException, ParseException {
        notEmpty(this.issuerUrl, "IssuerUrl cannot be empty");
        notEmpty(this.audience, "Audience cannot be empty");
        URL url = OIDCProviderMetadata.parse(readMetadataFromUrl(URI.create(this.issuerUrl + "/").resolve(".well-known/openid-configuration").toURL())).getJWKSetURI().toURL();
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(JWSAlgorithm.RS256, new RemoteJWKSet(url, new DefaultResourceRetriever(this.connectionTimeout, this.readTimeout, 51200))));
        defaultJWTProcessor.setJWTClaimsSetVerifier(new OktaJWTClaimsVerifier(this.issuerUrl, this.audience, this.clientId));
        return new NimbusJwtVerifier(defaultJWTProcessor);
    }

    String readMetadataFromUrl(URL url) throws IOException {
        return IOUtils.readInputStreamToString(url.openStream(), StandardCharsets.UTF_8);
    }

    private void notEmpty(String str, String str2) {
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException(str2);
        }
    }
}
