package org.springframework.security.config.web.server;

import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.client.oidc.authentication.ReactiveOidcIdTokenDecoderFactory;
import org.springframework.security.oauth2.client.oidc.authentication.logout.OidcLogoutToken;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.jwt.BadJwtException;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoderFactory;
import org.springframework.util.Assert;
import reactor.core.publisher.Mono;

/* loaded from: input_file:BOOT-INF/lib/spring-security-config-6.2.2.jar:org/springframework/security/config/web/server/OidcBackChannelLogoutReactiveAuthenticationManager.class */
final class OidcBackChannelLogoutReactiveAuthenticationManager implements ReactiveAuthenticationManager {
    private ReactiveJwtDecoderFactory<ClientRegistration> logoutTokenDecoderFactory;

    /* JADX INFO: Access modifiers changed from: package-private */
    public OidcBackChannelLogoutReactiveAuthenticationManager() {
        ReactiveOidcIdTokenDecoderFactory reactiveOidcIdTokenDecoderFactory = new ReactiveOidcIdTokenDecoderFactory();
        reactiveOidcIdTokenDecoderFactory.setJwtValidatorFactory(new DefaultOidcLogoutTokenValidatorFactory());
        this.logoutTokenDecoderFactory = reactiveOidcIdTokenDecoderFactory;
    }

    @Override // org.springframework.security.authentication.ReactiveAuthenticationManager
    public Mono<Authentication> authenticate(Authentication authentication) throws AuthenticationException {
        if (!(authentication instanceof OidcLogoutAuthenticationToken)) {
            return Mono.empty();
        }
        OidcLogoutAuthenticationToken oidcLogoutAuthenticationToken = (OidcLogoutAuthenticationToken) authentication;
        String logoutToken = oidcLogoutAuthenticationToken.getLogoutToken();
        return decode(oidcLogoutAuthenticationToken.getClientRegistration(), logoutToken).map(jwt -> {
            return OidcLogoutToken.withTokenValue(logoutToken).claims(map -> {
                map.putAll(jwt.getClaims());
            }).build();
        }).map(OidcBackChannelLogoutAuthentication::new);
    }

    private Mono<Jwt> decode(ClientRegistration clientRegistration, String str) {
        return this.logoutTokenDecoderFactory.createDecoder(clientRegistration).decode(str).onErrorResume(Exception.class, exc -> {
            return exc instanceof BadJwtException ? Mono.error(new OAuth2AuthenticationException(new OAuth2Error("invalid_request", exc.getMessage(), "https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation"), exc)) : Mono.error(new AuthenticationServiceException(exc.getMessage(), exc));
        });
    }

    void setLogoutTokenDecoderFactory(ReactiveJwtDecoderFactory<ClientRegistration> reactiveJwtDecoderFactory) {
        Assert.notNull(reactiveJwtDecoderFactory, "logoutTokenDecoderFactory cannot be null");
        this.logoutTokenDecoderFactory = reactiveJwtDecoderFactory;
    }
}
