package org.mitre.openid.connect.client;

import com.google.common.base.Strings;
import com.nimbusds.jwt.JWT;
import java.util.Collection;
import org.mitre.openid.connect.model.OIDCAuthenticationToken;
import org.mitre.openid.connect.model.PendingOIDCAuthenticationToken;
import org.mitre.openid.connect.model.UserInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

/* loaded from: input_file:WEB-INF/lib/openid-connect-client-1.2.0.jar:org/mitre/openid/connect/client/OIDCAuthenticationProvider.class */
public class OIDCAuthenticationProvider implements AuthenticationProvider {
    private static Logger logger = LoggerFactory.getLogger((Class<?>) OIDCAuthenticationProvider.class);
    private UserInfoFetcher userInfoFetcher = new UserInfoFetcher();
    private OIDCAuthoritiesMapper authoritiesMapper = new NamedAdminAuthoritiesMapper();

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        if (!supports(authentication.getClass()) || !(authentication instanceof PendingOIDCAuthenticationToken)) {
            return null;
        }
        PendingOIDCAuthenticationToken pendingOIDCAuthenticationToken = (PendingOIDCAuthenticationToken) authentication;
        JWT idToken = pendingOIDCAuthenticationToken.getIdToken();
        UserInfo loadUserInfo = this.userInfoFetcher.loadUserInfo(pendingOIDCAuthenticationToken);
        if (loadUserInfo == null || Strings.isNullOrEmpty(loadUserInfo.getSub()) || loadUserInfo.getSub().equals(pendingOIDCAuthenticationToken.getSub())) {
            return createAuthenticationToken(pendingOIDCAuthenticationToken, this.authoritiesMapper.mapAuthorities(idToken, loadUserInfo), loadUserInfo);
        }
        throw new UsernameNotFoundException("user_id mismatch between id_token and user_info call: " + pendingOIDCAuthenticationToken.getSub() + " / " + loadUserInfo.getSub());
    }

    protected Authentication createAuthenticationToken(PendingOIDCAuthenticationToken pendingOIDCAuthenticationToken, Collection<? extends GrantedAuthority> collection, UserInfo userInfo) {
        return new OIDCAuthenticationToken(pendingOIDCAuthenticationToken.getSub(), pendingOIDCAuthenticationToken.getIssuer(), userInfo, collection, pendingOIDCAuthenticationToken.getIdToken(), pendingOIDCAuthenticationToken.getAccessTokenValue(), pendingOIDCAuthenticationToken.getRefreshTokenValue());
    }

    public void setAuthoritiesMapper(OIDCAuthoritiesMapper oIDCAuthoritiesMapper) {
        this.authoritiesMapper = oIDCAuthoritiesMapper;
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return PendingOIDCAuthenticationToken.class.isAssignableFrom(cls);
    }
}
