package org.springframework.security.oauth2.client.oidc.authentication;

import java.net.URL;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.class */
public final class OidcIdTokenValidator implements OAuth2TokenValidator<Jwt> {
    private static final Duration DEFAULT_CLOCK_SKEW = Duration.ofSeconds(60);
    private final ClientRegistration clientRegistration;
    private Duration clockSkew = DEFAULT_CLOCK_SKEW;
    private Clock clock = Clock.systemUTC();

    public OidcIdTokenValidator(ClientRegistration clientRegistration) {
        Assert.notNull(clientRegistration, "clientRegistration cannot be null");
        this.clientRegistration = clientRegistration;
    }

    @Override // org.springframework.security.oauth2.core.OAuth2TokenValidator
    public OAuth2TokenValidatorResult validate(Jwt jwt) {
        Map<String, Object> validateRequiredClaims = validateRequiredClaims(jwt);
        if (!validateRequiredClaims.isEmpty()) {
            return OAuth2TokenValidatorResult.failure(invalidIdToken(validateRequiredClaims));
        }
        String issuerUri = this.clientRegistration.getProviderDetails().getIssuerUri();
        if (issuerUri != null && !Objects.equals(issuerUri, jwt.getIssuer().toExternalForm())) {
            validateRequiredClaims.put("iss", jwt.getIssuer());
        }
        if (!jwt.getAudience().contains(this.clientRegistration.getClientId())) {
            validateRequiredClaims.put("aud", jwt.getAudience());
        }
        String claimAsString = jwt.getClaimAsString("azp");
        if (jwt.getAudience().size() > 1 && claimAsString == null) {
            validateRequiredClaims.put("azp", claimAsString);
        }
        if (claimAsString != null && !claimAsString.equals(this.clientRegistration.getClientId())) {
            validateRequiredClaims.put("azp", claimAsString);
        }
        Instant now = Instant.now(this.clock);
        if (now.minus((TemporalAmount) this.clockSkew).isAfter(jwt.getExpiresAt())) {
            validateRequiredClaims.put("exp", jwt.getExpiresAt());
        }
        if (now.plus((TemporalAmount) this.clockSkew).isBefore(jwt.getIssuedAt())) {
            validateRequiredClaims.put("iat", jwt.getIssuedAt());
        }
        return !validateRequiredClaims.isEmpty() ? OAuth2TokenValidatorResult.failure(invalidIdToken(validateRequiredClaims)) : OAuth2TokenValidatorResult.success();
    }

    public void setClockSkew(Duration duration) {
        Assert.notNull(duration, "clockSkew cannot be null");
        Assert.isTrue(duration.getSeconds() >= 0, "clockSkew must be >= 0");
        this.clockSkew = duration;
    }

    public void setClock(Clock clock) {
        Assert.notNull(clock, "clock cannot be null");
        this.clock = clock;
    }

    private static OAuth2Error invalidIdToken(Map<String, Object> map) {
        return new OAuth2Error("invalid_id_token", "The ID Token contains invalid claims: " + map, "https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation");
    }

    private static Map<String, Object> validateRequiredClaims(Jwt jwt) {
        HashMap hashMap = new HashMap();
        URL issuer = jwt.getIssuer();
        if (issuer == null) {
            hashMap.put("iss", issuer);
        }
        String subject = jwt.getSubject();
        if (subject == null) {
            hashMap.put("sub", subject);
        }
        List<String> audience = jwt.getAudience();
        if (CollectionUtils.isEmpty(audience)) {
            hashMap.put("aud", audience);
        }
        Instant expiresAt = jwt.getExpiresAt();
        if (expiresAt == null) {
            hashMap.put("exp", expiresAt);
        }
        Instant issuedAt = jwt.getIssuedAt();
        if (issuedAt == null) {
            hashMap.put("iat", issuedAt);
        }
        return hashMap;
    }
}
