package com.liferay.portal.security.sso.openid.connect.internal.util;

import com.liferay.petra.string.StringBundler;
import com.liferay.portal.security.sso.openid.connect.OpenIdConnectProvider;
import com.liferay.portal.security.sso.openid.connect.OpenIdConnectServiceException;
import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.util.DefaultResourceRetriever;
import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.AuthorizationGrant;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.RefreshTokenGrant;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.TokenResponse;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
import java.util.Objects;

/* loaded from: input_file:com/liferay/portal/security/sso/openid/connect/internal/util/OpenIdConnectTokenRequestUtil.class */
public class OpenIdConnectTokenRequestUtil {
    public static OIDCTokens request(AuthenticationSuccessResponse authenticationSuccessResponse, Nonce nonce, OpenIdConnectProvider<OIDCClientMetadata, OIDCProviderMetadata> openIdConnectProvider, URI uri) throws OpenIdConnectServiceException.ProviderException, OpenIdConnectServiceException.TokenException {
        return _requestOIDCTokens(new AuthorizationCodeGrant(authenticationSuccessResponse.getAuthorizationCode(), uri), nonce, openIdConnectProvider);
    }

    public static OIDCTokens request(OpenIdConnectProvider<OIDCClientMetadata, OIDCProviderMetadata> openIdConnectProvider, RefreshToken refreshToken) throws OpenIdConnectServiceException {
        return _requestOIDCTokens(new RefreshTokenGrant(refreshToken), null, openIdConnectProvider);
    }

    private static OIDCTokens _requestOIDCTokens(AuthorizationGrant authorizationGrant, Nonce nonce, OpenIdConnectProvider<OIDCClientMetadata, OIDCProviderMetadata> openIdConnectProvider) throws OpenIdConnectServiceException.ProviderException, OpenIdConnectServiceException.TokenException {
        OIDCProviderMetadata oIDCProviderMetadata = (OIDCProviderMetadata) openIdConnectProvider.getOIDCProviderMetadata();
        URI tokenEndpointURI = oIDCProviderMetadata.getTokenEndpointURI();
        ClientID clientID = new ClientID(openIdConnectProvider.getClientId());
        Secret secret = new Secret(openIdConnectProvider.getClientSecret());
        try {
            TokenResponse parse = OIDCTokenResponseParser.parse(new TokenRequest(tokenEndpointURI, new ClientSecretBasic(clientID, secret), authorizationGrant).toHTTPRequest().send());
            if (parse instanceof TokenErrorResponse) {
                throw new OpenIdConnectServiceException.TokenException(((TokenErrorResponse) parse).getErrorObject().toJSONObject().toString());
            }
            OIDCTokens oIDCTokens = ((OIDCTokenResponse) parse).getOIDCTokens();
            _validate(clientID, secret, nonce, oIDCProviderMetadata, oIDCTokens, openIdConnectProvider.getTokenConnectionTimeout());
            return oIDCTokens;
        } catch (ParseException e) {
            throw new OpenIdConnectServiceException.TokenException(StringBundler.concat(new Object[]{"Unable to parse tokens response from ", tokenEndpointURI, ": ", e.getMessage()}), e);
        } catch (IOException e2) {
            throw new OpenIdConnectServiceException.TokenException(StringBundler.concat(new Object[]{"Unable to get tokens from ", tokenEndpointURI, ": ", e2.getMessage()}), e2);
        }
    }

    private static IDTokenClaimsSet _validate(ClientID clientID, Secret secret, Nonce nonce, OIDCProviderMetadata oIDCProviderMetadata, OIDCTokens oIDCTokens, int i) throws OpenIdConnectServiceException.TokenException {
        try {
            try {
                JWT iDToken = oIDCTokens.getIDToken();
                Algorithm algorithm = iDToken.getHeader().getAlgorithm();
                URI jWKSetURI = oIDCProviderMetadata.getJWKSetURI();
                String name = algorithm.getName();
                for (JWSAlgorithm jWSAlgorithm : oIDCProviderMetadata.getIDTokenJWSAlgs()) {
                    if (Objects.equals(jWSAlgorithm.getName(), name)) {
                        return JWSAlgorithm.Family.HMAC_SHA.contains(jWSAlgorithm) ? new IDTokenValidator(oIDCProviderMetadata.getIssuer(), clientID, jWSAlgorithm, secret).validate(iDToken, nonce) : new IDTokenValidator(oIDCProviderMetadata.getIssuer(), clientID, jWSAlgorithm, jWKSetURI.toURL(), new DefaultResourceRetriever(i, i)).validate(iDToken, nonce);
                    }
                }
                throw new OpenIdConnectServiceException.TokenException(StringBundler.concat(new String[]{"Signing algorithm ", name, " rejected by OpenID Connect client: ", clientID.getValue()}));
            } catch (MalformedURLException e) {
                throw new OpenIdConnectServiceException.TokenException("Invalid JSON web key URL: " + e.getMessage(), e);
            }
        } catch (JOSEException | BadJOSEException e2) {
            throw new OpenIdConnectServiceException.TokenException("Unable to validate tokens: " + e2.getMessage(), e2);
        }
    }
}
