package org.project_kessel.clients.authn.oidc.client.nimbus;

import com.nimbusds.oauth2.sdk.ClientCredentialsGrant;
import com.nimbusds.oauth2.sdk.GeneralException;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.TokenResponse;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import io.quarkus.runtime.annotations.RegisterForReflection;
import java.io.IOException;
import java.net.URI;
import java.util.Optional;
import org.project_kessel.clients.authn.oidc.client.OIDCClientCredentialsAuthenticationConfig;
import org.project_kessel.clients.authn.oidc.client.OIDCClientCredentialsMinter;

@RegisterForReflection
/* loaded from: input_file:org/project_kessel/clients/authn/oidc/client/nimbus/NimbusOIDCClientCredentialsMinter.class */
public class NimbusOIDCClientCredentialsMinter extends OIDCClientCredentialsMinter {
    @Override // org.project_kessel.clients.authn.oidc.client.OIDCClientCredentialsMinter
    public OIDCClientCredentialsMinter.BearerHeader authenticateAndRetrieveAuthorizationHeader(OIDCClientCredentialsAuthenticationConfig.OIDCClientCredentialsConfig oIDCClientCredentialsConfig) throws OIDCClientCredentialsMinter.OIDCClientCredentialsMinterException {
        Issuer issuer = new Issuer(oIDCClientCredentialsConfig.issuer());
        ClientID clientID = new ClientID(oIDCClientCredentialsConfig.clientId());
        Secret secret = new Secret(oIDCClientCredentialsConfig.clientSecret());
        Optional<U> map = oIDCClientCredentialsConfig.scope().map(Scope::new);
        ClientCredentialsGrant clientCredentialsGrant = new ClientCredentialsGrant();
        try {
            URI tokenEndpointURI = OIDCProviderMetadata.resolve(issuer).getTokenEndpointURI();
            ClientSecretBasic clientSecretBasic = new ClientSecretBasic(clientID, secret);
            TokenResponse parse = OIDCTokenResponseParser.parse((map.isPresent() ? new TokenRequest(tokenEndpointURI, clientSecretBasic, clientCredentialsGrant, (Scope) map.get()) : new TokenRequest(tokenEndpointURI, clientSecretBasic, clientCredentialsGrant)).toHTTPRequest().send());
            if (parse.indicatesSuccess()) {
                BearerAccessToken bearerAccessToken = parse.toSuccessResponse().getOIDCTokens().getBearerAccessToken();
                return new OIDCClientCredentialsMinter.BearerHeader(bearerAccessToken.toAuthorizationHeader(), getExpiryDateFromExpiresIn(bearerAccessToken.getLifetime()));
            }
            TokenErrorResponse errorResponse = parse.toErrorResponse();
            throw new OIDCClientCredentialsMinter.OIDCClientCredentialsMinterException("Error requesting token from endpoint. TokenErrorResponse: code: " + errorResponse.getErrorObject().getCode() + ", message: " + errorResponse.getErrorObject().getDescription());
        } catch (IOException | GeneralException e) {
            throw new OIDCClientCredentialsMinter.OIDCClientCredentialsMinterException("Failed to retrieve and parse OIDC well-known configuration from provider.", e);
        }
    }
}
