package org.springframework.security.oauth2.server.authorization.oidc.authentication;

import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2TokenIntrospectionClaimNames;
import org.springframework.security.oauth2.core.OAuth2TokenType;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.resource.authentication.AbstractOAuth2TokenAuthenticationToken;
import org.springframework.util.Assert;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcUserInfoAuthenticationProvider.class */
public final class OidcUserInfoAuthenticationProvider implements AuthenticationProvider {
    private final OAuth2AuthorizationService authorizationService;
    private Function<OidcUserInfoAuthenticationContext, OidcUserInfo> userInfoMapper = new DefaultOidcUserInfoMapper();

    /* loaded from: input_file:org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcUserInfoAuthenticationProvider$DefaultOidcUserInfoMapper.class */
    private static final class DefaultOidcUserInfoMapper implements Function<OidcUserInfoAuthenticationContext, OidcUserInfo> {
        private static final List<String> EMAIL_CLAIMS = Arrays.asList("email", "email_verified");
        private static final List<String> PHONE_CLAIMS = Arrays.asList("phone_number", "phone_number_verified");
        private static final List<String> PROFILE_CLAIMS = Arrays.asList("name", "family_name", "given_name", "middle_name", "nickname", "preferred_username", "profile", "picture", "website", "gender", "birthdate", "zoneinfo", "locale", "updated_at");

        private DefaultOidcUserInfoMapper() {
        }

        @Override // java.util.function.Function
        public OidcUserInfo apply(OidcUserInfoAuthenticationContext oidcUserInfoAuthenticationContext) {
            return new OidcUserInfo(getClaimsRequestedByScope(oidcUserInfoAuthenticationContext.getAuthorization().getToken(OidcIdToken.class).getToken().getClaims(), oidcUserInfoAuthenticationContext.getAccessToken().getScopes()));
        }

        private static Map<String, Object> getClaimsRequestedByScope(Map<String, Object> map, Set<String> set) {
            HashSet hashSet = new HashSet(32);
            hashSet.add(OAuth2TokenIntrospectionClaimNames.SUB);
            if (set.contains("address")) {
                hashSet.add("address");
            }
            if (set.contains("email")) {
                hashSet.addAll(EMAIL_CLAIMS);
            }
            if (set.contains("phone")) {
                hashSet.addAll(PHONE_CLAIMS);
            }
            if (set.contains("profile")) {
                hashSet.addAll(PROFILE_CLAIMS);
            }
            HashMap hashMap = new HashMap(map);
            hashMap.keySet().removeIf(str -> {
                return !hashSet.contains(str);
            });
            return hashMap;
        }
    }

    public OidcUserInfoAuthenticationProvider(OAuth2AuthorizationService oAuth2AuthorizationService) {
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        this.authorizationService = oAuth2AuthorizationService;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OidcUserInfoAuthenticationToken oidcUserInfoAuthenticationToken = (OidcUserInfoAuthenticationToken) authentication;
        AbstractOAuth2TokenAuthenticationToken abstractOAuth2TokenAuthenticationToken = null;
        if (AbstractOAuth2TokenAuthenticationToken.class.isAssignableFrom(oidcUserInfoAuthenticationToken.getPrincipal().getClass())) {
            abstractOAuth2TokenAuthenticationToken = (AbstractOAuth2TokenAuthenticationToken) oidcUserInfoAuthenticationToken.getPrincipal();
        }
        if (abstractOAuth2TokenAuthenticationToken == null || !abstractOAuth2TokenAuthenticationToken.isAuthenticated()) {
            throw new OAuth2AuthenticationException("invalid_token");
        }
        OAuth2Authorization findByToken = this.authorizationService.findByToken(abstractOAuth2TokenAuthenticationToken.getToken().getTokenValue(), OAuth2TokenType.ACCESS_TOKEN);
        if (findByToken == null) {
            throw new OAuth2AuthenticationException("invalid_token");
        }
        OAuth2Authorization.Token<OAuth2AccessToken> accessToken = findByToken.getAccessToken();
        if (!accessToken.isActive()) {
            throw new OAuth2AuthenticationException("invalid_token");
        }
        if (!accessToken.getToken().getScopes().contains("openid")) {
            throw new OAuth2AuthenticationException("insufficient_scope");
        }
        if (findByToken.getToken(OidcIdToken.class) == null) {
            throw new OAuth2AuthenticationException("invalid_token");
        }
        return new OidcUserInfoAuthenticationToken(abstractOAuth2TokenAuthenticationToken, this.userInfoMapper.apply(OidcUserInfoAuthenticationContext.with(oidcUserInfoAuthenticationToken).accessToken(accessToken.getToken()).authorization(findByToken).build()));
    }

    public boolean supports(Class<?> cls) {
        return OidcUserInfoAuthenticationToken.class.isAssignableFrom(cls);
    }

    public void setUserInfoMapper(Function<OidcUserInfoAuthenticationContext, OidcUserInfo> function) {
        Assert.notNull(function, "userInfoMapper cannot be null");
        this.userInfoMapper = function;
    }
}
