package org.pac4j.oidc.profile.creator;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCResponseTypeValue;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
import java.net.MalformedURLException;
import java.util.ArrayList;
import java.util.List;
import lombok.Generated;
import org.pac4j.core.exception.TechnicalException;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.oidc.config.OidcConfiguration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/pac4j/oidc/profile/creator/TokenValidator.class */
public class TokenValidator {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(TokenValidator.class);
    private final List<IDTokenValidator> idTokenValidators;
    protected final OidcConfiguration configuration;

    public TokenValidator(OidcConfiguration oidcConfiguration) {
        IDTokenValidator createHMACTokenValidator;
        CommonHelper.assertNotNull("configuration", oidcConfiguration);
        List iDTokenJWSAlgs = oidcConfiguration.findProviderMetadata().getIDTokenJWSAlgs();
        CommonHelper.assertTrue(CommonHelper.isNotEmpty(iDTokenJWSAlgs), "There must at least one JWS algorithm supported on the OpenID Connect provider side");
        List<JWSAlgorithm> arrayList = new ArrayList();
        JWSAlgorithm preferredJwsAlgorithm = oidcConfiguration.getPreferredJwsAlgorithm();
        if (iDTokenJWSAlgs.contains(preferredJwsAlgorithm)) {
            arrayList.add(preferredJwsAlgorithm);
        } else {
            arrayList = iDTokenJWSAlgs;
            LOGGER.warn("Preferred JWS algorithm: {} not available. Using all metadata algorithms: {}", preferredJwsAlgorithm, iDTokenJWSAlgs);
        }
        this.idTokenValidators = new ArrayList();
        ClientID clientID = new ClientID(oidcConfiguration.getClientId());
        for (JWSAlgorithm jWSAlgorithm : arrayList) {
            if ("none".equals(jWSAlgorithm.getName())) {
                String responseType = oidcConfiguration.getResponseType();
                boolean z = responseType != null && responseType.contains(OIDCResponseTypeValue.ID_TOKEN.toString());
                if (!oidcConfiguration.isAllowUnsignedIdTokens() || z) {
                    throw new TechnicalException("Unsigned ID tokens are not allowed: they must be explicitly enabled on client side and the response_type used must return no ID Token from the authorization endpoint");
                }
                LOGGER.warn("Allowing unsigned ID tokens");
                createHMACTokenValidator = new IDTokenValidator(oidcConfiguration.findProviderMetadata().getIssuer(), clientID);
            } else {
                createHMACTokenValidator = (CommonHelper.isNotBlank(oidcConfiguration.getSecret()) && (JWSAlgorithm.HS256.equals(jWSAlgorithm) || JWSAlgorithm.HS384.equals(jWSAlgorithm) || JWSAlgorithm.HS512.equals(jWSAlgorithm))) ? createHMACTokenValidator(oidcConfiguration, jWSAlgorithm, clientID, new Secret(oidcConfiguration.getSecret())) : createRSATokenValidator(oidcConfiguration, jWSAlgorithm, clientID);
            }
            IDTokenValidator iDTokenValidator = createHMACTokenValidator;
            iDTokenValidator.setMaxClockSkew(oidcConfiguration.getMaxClockSkew());
            this.idTokenValidators.add(iDTokenValidator);
        }
        this.configuration = oidcConfiguration;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public IDTokenValidator createRSATokenValidator(OidcConfiguration oidcConfiguration, JWSAlgorithm jWSAlgorithm, ClientID clientID) {
        try {
            return new IDTokenValidator(oidcConfiguration.findProviderMetadata().getIssuer(), clientID, jWSAlgorithm, oidcConfiguration.findProviderMetadata().getJWKSetURI().toURL(), oidcConfiguration.findResourceRetriever());
        } catch (MalformedURLException e) {
            throw new TechnicalException(e);
        }
    }

    protected IDTokenValidator createHMACTokenValidator(OidcConfiguration oidcConfiguration, JWSAlgorithm jWSAlgorithm, ClientID clientID, Secret secret) {
        return new IDTokenValidator(oidcConfiguration.findProviderMetadata().getIssuer(), clientID, jWSAlgorithm, secret);
    }

    public IDTokenClaimsSet validate(JWT jwt, Nonce nonce) throws BadJOSEException, JOSEException {
        BadJOSEException badJOSEException = null;
        JOSEException jOSEException = null;
        for (IDTokenValidator iDTokenValidator : this.idTokenValidators) {
            LOGGER.debug("Trying IDToken validator: {}", iDTokenValidator);
            try {
                return iDTokenValidator.validate(jwt, nonce);
            } catch (JOSEException e) {
                LOGGER.debug(e.getMessage(), e);
                jOSEException = e;
            } catch (BadJOSEException e2) {
                LOGGER.debug(e2.getMessage(), e2);
                badJOSEException = e2;
            }
        }
        if (badJOSEException != null) {
            throw badJOSEException;
        }
        if (jOSEException != null) {
            throw jOSEException;
        }
        throw new TechnicalException("Unable to validate the ID token");
    }

    List<IDTokenValidator> getIdTokenValidators() {
        return this.idTokenValidators;
    }
}
