package org.springframework.security.oauth2.client.oidc.authentication;

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import java.util.Map;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken;
import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/spring-security-oauth2-client-5.6.1.jar:org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeAuthenticationProvider.class */
public class OidcAuthorizationCodeAuthenticationProvider implements AuthenticationProvider {
    private static final String INVALID_STATE_PARAMETER_ERROR_CODE = "invalid_state_parameter";
    private static final String INVALID_ID_TOKEN_ERROR_CODE = "invalid_id_token";
    private static final String INVALID_NONCE_ERROR_CODE = "invalid_nonce";
    private final OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient;
    private final OAuth2UserService<OidcUserRequest, OidcUser> userService;
    private JwtDecoderFactory<ClientRegistration> jwtDecoderFactory = new OidcIdTokenDecoderFactory();
    private GrantedAuthoritiesMapper authoritiesMapper = collection -> {
        return collection;
    };

    public OidcAuthorizationCodeAuthenticationProvider(OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> oAuth2AccessTokenResponseClient, OAuth2UserService<OidcUserRequest, OidcUser> oAuth2UserService) {
        Assert.notNull(oAuth2AccessTokenResponseClient, "accessTokenResponseClient cannot be null");
        Assert.notNull(oAuth2UserService, "userService cannot be null");
        this.accessTokenResponseClient = oAuth2AccessTokenResponseClient;
        this.userService = oAuth2UserService;
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2LoginAuthenticationToken oAuth2LoginAuthenticationToken = (OAuth2LoginAuthenticationToken) authentication;
        if (!oAuth2LoginAuthenticationToken.getAuthorizationExchange().getAuthorizationRequest().getScopes().contains(OidcScopes.OPENID)) {
            return null;
        }
        OAuth2AuthorizationRequest authorizationRequest = oAuth2LoginAuthenticationToken.getAuthorizationExchange().getAuthorizationRequest();
        OAuth2AuthorizationResponse authorizationResponse = oAuth2LoginAuthenticationToken.getAuthorizationExchange().getAuthorizationResponse();
        if (authorizationResponse.statusError()) {
            throw new OAuth2AuthenticationException(authorizationResponse.getError(), authorizationResponse.getError().toString());
        }
        if (!authorizationResponse.getState().equals(authorizationRequest.getState())) {
            OAuth2Error oAuth2Error = new OAuth2Error(INVALID_STATE_PARAMETER_ERROR_CODE);
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
        }
        OAuth2AccessTokenResponse response = getResponse(oAuth2LoginAuthenticationToken);
        ClientRegistration clientRegistration = oAuth2LoginAuthenticationToken.getClientRegistration();
        Map<String, Object> additionalParameters = response.getAdditionalParameters();
        if (!additionalParameters.containsKey(OidcParameterNames.ID_TOKEN)) {
            OAuth2Error oAuth2Error2 = new OAuth2Error(INVALID_ID_TOKEN_ERROR_CODE, "Missing (required) ID Token in Token Response for Client Registration: " + clientRegistration.getRegistrationId(), null);
            throw new OAuth2AuthenticationException(oAuth2Error2, oAuth2Error2.toString());
        }
        OidcIdToken createOidcToken = createOidcToken(clientRegistration, response);
        validateNonce(authorizationRequest, createOidcToken);
        OidcUser loadUser = this.userService.loadUser(new OidcUserRequest(clientRegistration, response.getAccessToken(), createOidcToken, additionalParameters));
        OAuth2LoginAuthenticationToken oAuth2LoginAuthenticationToken2 = new OAuth2LoginAuthenticationToken(oAuth2LoginAuthenticationToken.getClientRegistration(), oAuth2LoginAuthenticationToken.getAuthorizationExchange(), loadUser, this.authoritiesMapper.mapAuthorities(loadUser.getAuthorities()), response.getAccessToken(), response.getRefreshToken());
        oAuth2LoginAuthenticationToken2.setDetails(oAuth2LoginAuthenticationToken.getDetails());
        return oAuth2LoginAuthenticationToken2;
    }

    private OAuth2AccessTokenResponse getResponse(OAuth2LoginAuthenticationToken oAuth2LoginAuthenticationToken) {
        try {
            return this.accessTokenResponseClient.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(oAuth2LoginAuthenticationToken.getClientRegistration(), oAuth2LoginAuthenticationToken.getAuthorizationExchange()));
        } catch (OAuth2AuthorizationException e) {
            OAuth2Error error = e.getError();
            throw new OAuth2AuthenticationException(error, error.toString(), e);
        }
    }

    private void validateNonce(OAuth2AuthorizationRequest oAuth2AuthorizationRequest, OidcIdToken oidcIdToken) {
        String str = (String) oAuth2AuthorizationRequest.getAttribute("nonce");
        if (str == null) {
            return;
        }
        String nonceHash = getNonceHash(str);
        String nonce = oidcIdToken.getNonce();
        if (nonce == null || !nonce.equals(nonceHash)) {
            OAuth2Error oAuth2Error = new OAuth2Error(INVALID_NONCE_ERROR_CODE);
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
        }
    }

    private String getNonceHash(String str) {
        try {
            return createHash(str);
        } catch (NoSuchAlgorithmException e) {
            OAuth2Error oAuth2Error = new OAuth2Error(INVALID_NONCE_ERROR_CODE);
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
        }
    }

    public final void setJwtDecoderFactory(JwtDecoderFactory<ClientRegistration> jwtDecoderFactory) {
        Assert.notNull(jwtDecoderFactory, "jwtDecoderFactory cannot be null");
        this.jwtDecoderFactory = jwtDecoderFactory;
    }

    public final void setAuthoritiesMapper(GrantedAuthoritiesMapper grantedAuthoritiesMapper) {
        Assert.notNull(grantedAuthoritiesMapper, "authoritiesMapper cannot be null");
        this.authoritiesMapper = grantedAuthoritiesMapper;
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return OAuth2LoginAuthenticationToken.class.isAssignableFrom(cls);
    }

    private OidcIdToken createOidcToken(ClientRegistration clientRegistration, OAuth2AccessTokenResponse oAuth2AccessTokenResponse) {
        Jwt jwt = getJwt(oAuth2AccessTokenResponse, this.jwtDecoderFactory.createDecoder(clientRegistration));
        return new OidcIdToken(jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaims());
    }

    private Jwt getJwt(OAuth2AccessTokenResponse oAuth2AccessTokenResponse, JwtDecoder jwtDecoder) {
        try {
            return jwtDecoder.decode((String) oAuth2AccessTokenResponse.getAdditionalParameters().get(OidcParameterNames.ID_TOKEN));
        } catch (JwtException e) {
            OAuth2Error oAuth2Error = new OAuth2Error(INVALID_ID_TOKEN_ERROR_CODE, e.getMessage(), null);
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString(), e);
        }
    }

    static String createHash(String str) throws NoSuchAlgorithmException {
        return Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigest.getInstance("SHA-256").digest(str.getBytes(StandardCharsets.US_ASCII)));
    }
}
