package org.glassfish.soteria.mechanisms.openid.controller;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jwt.JWTClaimsSet;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import jakarta.security.enterprise.authentication.mechanism.http.HttpMessageContext;
import jakarta.security.enterprise.authentication.mechanism.http.openid.OpenIdConstant;
import jakarta.security.enterprise.identitystore.openid.IdentityToken;
import jakarta.security.enterprise.identitystore.openid.RefreshToken;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.client.ClientBuilder;
import jakarta.ws.rs.client.Entity;
import jakarta.ws.rs.core.Form;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.util.Collections;
import java.util.Map;
import org.glassfish.soteria.mechanisms.openid.domain.AccessTokenImpl;
import org.glassfish.soteria.mechanisms.openid.domain.IdentityTokenImpl;
import org.glassfish.soteria.mechanisms.openid.domain.OpenIdConfiguration;

@ApplicationScoped
/* loaded from: input_file:org/glassfish/soteria/mechanisms/openid/controller/TokenController.class */
public class TokenController {

    @Inject
    private NonceController nonceController;

    @Inject
    private OpenIdConfiguration configuration;

    @Inject
    private JWTValidator validator;

    public Response getTokens(HttpServletRequest httpServletRequest) {
        return ClientBuilder.newClient().target(this.configuration.getProviderMetadata().getTokenEndpoint()).request().accept(MediaType.APPLICATION_JSON).post(Entity.form(new Form().param(OpenIdConstant.CLIENT_ID, this.configuration.getClientId()).param(OpenIdConstant.CLIENT_SECRET, new String(this.configuration.getClientSecret())).param(OpenIdConstant.GRANT_TYPE, OpenIdConstant.AUTHORIZATION_CODE).param(OpenIdConstant.CODE, httpServletRequest.getParameter(OpenIdConstant.CODE)).param(OpenIdConstant.REDIRECT_URI, this.configuration.buildRedirectURI(httpServletRequest))));
    }

    public JWTClaimsSet validateIdToken(IdentityTokenImpl identityTokenImpl, HttpMessageContext httpMessageContext) {
        HttpServletRequest request = httpMessageContext.getRequest();
        HttpServletResponse response = httpMessageContext.getResponse();
        String str = null;
        if (this.configuration.isUseNonce()) {
            str = this.nonceController.getNonceHash(this.nonceController.get(this.configuration, request, response));
        }
        try {
            JWTClaimsSet validateBearerToken = this.validator.validateBearerToken(identityTokenImpl.getTokenJWT(), new IdTokenClaimsSetVerifier(str, this.configuration));
            this.nonceController.remove(this.configuration, request, response);
            return validateBearerToken;
        } catch (Throwable th) {
            this.nonceController.remove(this.configuration, request, response);
            throw th;
        }
    }

    public JWTClaimsSet validateRefreshedIdToken(IdentityToken identityToken, IdentityTokenImpl identityTokenImpl) {
        return this.validator.validateBearerToken(identityTokenImpl.getTokenJWT(), new RefreshedIdTokenClaimsSetVerifier(identityToken, this.configuration));
    }

    public Map<String, Object> validateAccessToken(AccessTokenImpl accessTokenImpl, Algorithm algorithm, Map<String, Object> map) {
        Map<String, Object> emptyMap = Collections.emptyMap();
        new AccessTokenClaimsSetVerifier(accessTokenImpl, algorithm, map, this.configuration).validateAccessToken();
        return emptyMap;
    }

    public Response refreshTokens(RefreshToken refreshToken) {
        return ClientBuilder.newClient().target(this.configuration.getProviderMetadata().getTokenEndpoint()).request().accept(MediaType.APPLICATION_JSON).post(Entity.form(new Form().param(OpenIdConstant.CLIENT_ID, this.configuration.getClientId()).param(OpenIdConstant.CLIENT_SECRET, new String(this.configuration.getClientSecret())).param(OpenIdConstant.GRANT_TYPE, OpenIdConstant.REFRESH_TOKEN).param(OpenIdConstant.REFRESH_TOKEN, refreshToken.getToken())));
    }
}
