package com.nimbusds.openid.connect.sdk.validators;

import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.ClockSkewAware;
import com.nimbusds.jwt.proc.JWTClaimsSetVerifier;
import com.nimbusds.jwt.util.DateUtils;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.util.CollectionUtils;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import java.text.ParseException;
import java.util.Date;
import java.util.List;
import net.jcip.annotations.ThreadSafe;

@ThreadSafe
/* loaded from: input_file:WEB-INF/lib/oauth2-oidc-sdk-9.27.1.jar:com/nimbusds/openid/connect/sdk/validators/IDTokenClaimsVerifier.class */
public class IDTokenClaimsVerifier implements JWTClaimsSetVerifier, ClockSkewAware {
    private final Issuer expectedIssuer;
    private final ClientID expectedClientID;
    private final Nonce expectedNonce;
    private int maxClockSkew;

    public IDTokenClaimsVerifier(Issuer issuer, ClientID clientID, Nonce nonce, int i) {
        if (issuer == null) {
            throw new IllegalArgumentException("The expected ID token issuer must not be null");
        }
        this.expectedIssuer = issuer;
        if (clientID == null) {
            throw new IllegalArgumentException("The client ID must not be null");
        }
        this.expectedClientID = clientID;
        this.expectedNonce = nonce;
        setMaxClockSkew(i);
    }

    public Issuer getExpectedIssuer() {
        return this.expectedIssuer;
    }

    public ClientID getClientID() {
        return this.expectedClientID;
    }

    public Nonce getExpectedNonce() {
        return this.expectedNonce;
    }

    @Override // com.nimbusds.jwt.proc.ClockSkewAware
    public int getMaxClockSkew() {
        return this.maxClockSkew;
    }

    @Override // com.nimbusds.jwt.proc.ClockSkewAware
    public void setMaxClockSkew(int i) {
        if (i < 0) {
            throw new IllegalArgumentException("The max clock skew must be zero or positive");
        }
        this.maxClockSkew = i;
    }

    @Override // com.nimbusds.jwt.proc.JWTClaimsSetVerifier
    public void verify(JWTClaimsSet jWTClaimsSet, SecurityContext securityContext) throws BadJWTException {
        String issuer = jWTClaimsSet.getIssuer();
        if (issuer == null) {
            throw BadJWTExceptions.MISSING_ISS_CLAIM_EXCEPTION;
        }
        if (!this.expectedIssuer.getValue().equals(issuer)) {
            throw new BadJWTException("Unexpected JWT issuer: " + issuer);
        }
        if (jWTClaimsSet.getSubject() == null) {
            throw BadJWTExceptions.MISSING_SUB_CLAIM_EXCEPTION;
        }
        List<String> audience = jWTClaimsSet.getAudience();
        if (CollectionUtils.isEmpty(audience)) {
            throw BadJWTExceptions.MISSING_AUD_CLAIM_EXCEPTION;
        }
        if (!audience.contains(this.expectedClientID.getValue())) {
            throw new BadJWTException("Unexpected JWT audience: " + audience);
        }
        if (audience.size() > 1) {
            try {
                String stringClaim = jWTClaimsSet.getStringClaim(IDTokenClaimsSet.AZP_CLAIM_NAME);
                if (stringClaim == null) {
                    throw new BadJWTException("JWT authorized party (azp) claim required when multiple (aud) audiences present");
                }
                if (!this.expectedClientID.getValue().equals(stringClaim)) {
                    throw new BadJWTException("Unexpected JWT authorized party (azp) claim: " + stringClaim);
                }
            } catch (ParseException e) {
                throw new BadJWTException("Invalid JWT authorized party (azp) claim: " + e.getMessage());
            }
        }
        Date expirationTime = jWTClaimsSet.getExpirationTime();
        if (expirationTime == null) {
            throw BadJWTExceptions.MISSING_EXP_CLAIM_EXCEPTION;
        }
        Date issueTime = jWTClaimsSet.getIssueTime();
        if (issueTime == null) {
            throw BadJWTExceptions.MISSING_IAT_CLAIM_EXCEPTION;
        }
        Date date = new Date();
        if (!DateUtils.isAfter(expirationTime, date, this.maxClockSkew)) {
            throw BadJWTExceptions.EXPIRED_EXCEPTION;
        }
        if (!issueTime.equals(date) && !DateUtils.isBefore(issueTime, date, this.maxClockSkew)) {
            throw BadJWTExceptions.IAT_CLAIM_AHEAD_EXCEPTION;
        }
        if (this.expectedNonce != null) {
            try {
                String stringClaim2 = jWTClaimsSet.getStringClaim(IDTokenClaimsSet.NONCE_CLAIM_NAME);
                if (stringClaim2 == null) {
                    throw BadJWTExceptions.MISSING_NONCE_CLAIM_EXCEPTION;
                }
                if (!this.expectedNonce.getValue().equals(stringClaim2)) {
                    throw new BadJWTException("Unexpected JWT nonce (nonce) claim: " + stringClaim2);
                }
            } catch (ParseException e2) {
                throw new BadJWTException("Invalid JWT nonce (nonce) claim: " + e2.getMessage());
            }
        }
    }
}
