package org.forgerock.openidconnect;

import java.util.Set;
import javax.inject.Inject;
import org.forgerock.oauth2.core.AuthorizeRequestValidator;
import org.forgerock.oauth2.core.ClientRegistration;
import org.forgerock.oauth2.core.ClientRegistrationStore;
import org.forgerock.oauth2.core.OAuth2Request;
import org.forgerock.oauth2.core.Utils;
import org.forgerock.oauth2.core.exceptions.BadRequestException;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.InvalidRequestException;
import org.forgerock.oauth2.core.exceptions.InvalidScopeException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.openam.oauth2.OAuth2Constants;
import org.forgerock.openam.utils.CollectionUtils;
import org.forgerock.util.Reject;

/* loaded from: input_file:org/forgerock/openidconnect/OpenIdConnectAuthorizeRequestValidator.class */
public class OpenIdConnectAuthorizeRequestValidator implements AuthorizeRequestValidator {
    private final ClientRegistrationStore clientRegistrationStore;

    @Inject
    public OpenIdConnectAuthorizeRequestValidator(ClientRegistrationStore clientRegistrationStore) {
        this.clientRegistrationStore = clientRegistrationStore;
    }

    @Override // org.forgerock.oauth2.core.AuthorizeRequestValidator
    public void validateRequest(OAuth2Request oAuth2Request) throws BadRequestException, InvalidRequestException, InvalidClientException, InvalidScopeException, NotFoundException {
        validateOpenIdScope(oAuth2Request);
        try {
            OpenIdPrompt openIdPrompt = new OpenIdPrompt(oAuth2Request);
            Reject.ifFalse(openIdPrompt.isValid(), "Prompt parameter " + openIdPrompt.getOriginalValue() + " is invalid or unsupported");
        } catch (IllegalArgumentException e) {
            throw new BadRequestException(e.getMessage());
        }
    }

    private void validateNonce(OAuth2Request oAuth2Request, Set<String> set) throws InvalidRequestException {
        if (!(set.size() == 1 && set.contains("code")) && oAuth2Request.getParameter("nonce") == null) {
            throw new InvalidRequestException("Missing required parameter nonce from request", OAuth2Constants.UrlLocation.FRAGMENT);
        }
    }

    private void validateOpenIdScope(OAuth2Request oAuth2Request) throws InvalidClientException, InvalidRequestException, InvalidScopeException, NotFoundException {
        ClientRegistration clientRegistration = this.clientRegistrationStore.get((String) oAuth2Request.getParameter("client_id"), oAuth2Request);
        if (Utils.isOpenIdConnectClient(clientRegistration)) {
            Set<String> splitResponseType = Utils.splitResponseType((String) oAuth2Request.getParameter("response_type"));
            Set<String> splitScope = Utils.splitScope((String) oAuth2Request.getParameter("scope"));
            if (CollectionUtils.isEmpty(splitScope)) {
                splitScope = clientRegistration.getDefaultScopes();
            }
            if (!splitScope.contains("openid") && splitResponseType.contains("id_token")) {
                throw new InvalidRequestException("Missing expected scope=openid from request", Utils.isOpenIdConnectFragmentErrorType(splitResponseType) ? OAuth2Constants.UrlLocation.FRAGMENT : OAuth2Constants.UrlLocation.QUERY);
            }
            if (splitScope.contains("openid")) {
                validateNonce(oAuth2Request, splitResponseType);
            }
        }
    }
}
