package com.nimbusds.openid.connect.sdk.validators;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.jwk.source.ImmutableSecret;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWEKeySelector;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.util.ResourceRetriever;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.oauth2.sdk.GeneralException;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.openid.connect.sdk.claims.LogoutTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import java.net.URL;
import net.jcip.annotations.ThreadSafe;

@ThreadSafe
/* loaded from: input_file:lib/oauth2-oidc-sdk-6.5.jar:com/nimbusds/openid/connect/sdk/validators/LogoutTokenValidator.class */
public class LogoutTokenValidator extends AbstractJWTValidator {
    public LogoutTokenValidator(Issuer issuer, ClientID clientID, JWSAlgorithm jWSAlgorithm, JWKSet jWKSet) {
        this(issuer, clientID, new JWSVerificationKeySelector(jWSAlgorithm, new ImmutableJWKSet(jWKSet)), (JWEKeySelector) null);
    }

    public LogoutTokenValidator(Issuer issuer, ClientID clientID, JWSAlgorithm jWSAlgorithm, URL url) {
        this(issuer, clientID, jWSAlgorithm, url, null);
    }

    public LogoutTokenValidator(Issuer issuer, ClientID clientID, JWSAlgorithm jWSAlgorithm, URL url, ResourceRetriever resourceRetriever) {
        this(issuer, clientID, new JWSVerificationKeySelector(jWSAlgorithm, new RemoteJWKSet(url, resourceRetriever)), (JWEKeySelector) null);
    }

    public LogoutTokenValidator(Issuer issuer, ClientID clientID, JWSAlgorithm jWSAlgorithm, Secret secret) {
        this(issuer, clientID, new JWSVerificationKeySelector(jWSAlgorithm, new ImmutableSecret(secret.getValueBytes())), (JWEKeySelector) null);
    }

    public LogoutTokenValidator(Issuer issuer, ClientID clientID, JWSKeySelector jWSKeySelector, JWEKeySelector jWEKeySelector) {
        super(issuer, clientID, jWSKeySelector, jWEKeySelector);
    }

    public LogoutTokenClaimsSet validate(JWT jwt) throws BadJOSEException, JOSEException {
        if (jwt instanceof PlainJWT) {
            throw new BadJWTException("Unsecured (plain) logout tokens are illegal");
        }
        if (jwt instanceof SignedJWT) {
            return validate((SignedJWT) jwt);
        }
        if (jwt instanceof EncryptedJWT) {
            return validate((EncryptedJWT) jwt);
        }
        throw new JOSEException("Unexpected JWT type: " + jwt.getClass());
    }

    private LogoutTokenClaimsSet validate(SignedJWT signedJWT) throws BadJOSEException, JOSEException {
        if (getJWSKeySelector() == null) {
            throw new BadJWTException("Verification of signed JWTs not configured");
        }
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSKeySelector(getJWSKeySelector());
        defaultJWTProcessor.setJWTClaimsSetVerifier(new LogoutTokenClaimsVerifier(getExpectedIssuer(), getClientID()));
        return toLogoutTokenClaimsSet(defaultJWTProcessor.process(signedJWT, (SignedJWT) null));
    }

    private LogoutTokenClaimsSet validate(EncryptedJWT encryptedJWT) throws BadJOSEException, JOSEException {
        if (getJWEKeySelector() == null) {
            throw new BadJWTException("Decryption of JWTs not configured");
        }
        if (getJWSKeySelector() == null) {
            throw new BadJWTException("Verification of signed JWTs not configured");
        }
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSKeySelector(getJWSKeySelector());
        defaultJWTProcessor.setJWEKeySelector(getJWEKeySelector());
        defaultJWTProcessor.setJWTClaimsSetVerifier(new LogoutTokenClaimsVerifier(getExpectedIssuer(), getClientID()));
        return toLogoutTokenClaimsSet(defaultJWTProcessor.process(encryptedJWT, (EncryptedJWT) null));
    }

    private static LogoutTokenClaimsSet toLogoutTokenClaimsSet(JWTClaimsSet jWTClaimsSet) throws JOSEException {
        try {
            return new LogoutTokenClaimsSet(jWTClaimsSet);
        } catch (ParseException e) {
            throw new JOSEException(e.getMessage(), e);
        }
    }

    public static LogoutTokenValidator create(OIDCProviderMetadata oIDCProviderMetadata, OIDCClientInformation oIDCClientInformation, JWKSource jWKSource) throws GeneralException {
        return new LogoutTokenValidator(oIDCProviderMetadata.getIssuer(), oIDCClientInformation.getID(), IDTokenValidator.createJWSKeySelector(oIDCProviderMetadata, oIDCClientInformation), IDTokenValidator.createJWEKeySelector(oIDCProviderMetadata, oIDCClientInformation, jWKSource));
    }
}
