package org.springframework.security.config.annotation.web.configurers.oauth2.client;

import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.springframework.security.oauth2.client.oidc.authentication.logout.LogoutTokenClaimAccessor;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.util.Assert;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BOOT-INF/lib/spring-security-config-6.4.5.jar:org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcBackChannelLogoutTokenValidator.class */
public final class OidcBackChannelLogoutTokenValidator implements OAuth2TokenValidator<Jwt> {
    private static final String LOGOUT_VALIDATION_URL = "https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation";
    private static final String BACK_CHANNEL_LOGOUT_EVENT = "http://schemas.openid.net/event/backchannel-logout";
    private final String audience;
    private final String issuer;

    /* JADX INFO: Access modifiers changed from: package-private */
    public OidcBackChannelLogoutTokenValidator(ClientRegistration clientRegistration) {
        this.audience = clientRegistration.getClientId();
        String issuerUri = clientRegistration.getProviderDetails().getIssuerUri();
        Assert.hasText(issuerUri, "Provider issuer cannot be null");
        this.issuer = issuerUri;
    }

    @Override // org.springframework.security.oauth2.core.OAuth2TokenValidator
    public OAuth2TokenValidatorResult validate(Jwt jwt) {
        ArrayList arrayList = new ArrayList();
        Objects.requireNonNull(jwt);
        LogoutTokenClaimAccessor logoutTokenClaimAccessor = jwt::getClaims;
        Map<String, Object> events = logoutTokenClaimAccessor.getEvents();
        if (events == null) {
            arrayList.add(invalidLogoutToken("events claim must not be null"));
        } else if (events.get("http://schemas.openid.net/event/backchannel-logout") == null) {
            arrayList.add(invalidLogoutToken("events claim map must contain \"http://schemas.openid.net/event/backchannel-logout\" key"));
        }
        String externalForm = logoutTokenClaimAccessor.getIssuer().toExternalForm();
        if (externalForm == null) {
            arrayList.add(invalidLogoutToken("iss claim must not be null"));
        } else if (!this.issuer.equals(externalForm)) {
            arrayList.add(invalidLogoutToken("iss claim value must match `ClientRegistration#getProviderDetails#getIssuerUri`"));
        }
        List<String> audience = logoutTokenClaimAccessor.getAudience();
        if (audience == null) {
            arrayList.add(invalidLogoutToken("aud claim must not be null"));
        } else if (!audience.contains(this.audience)) {
            arrayList.add(invalidLogoutToken("aud claim value must include `ClientRegistration#getClientId`"));
        }
        if (logoutTokenClaimAccessor.getIssuedAt() == null) {
            arrayList.add(invalidLogoutToken("iat claim must not be null"));
        }
        if (logoutTokenClaimAccessor.getId() == null) {
            arrayList.add(invalidLogoutToken("jti claim must not be null"));
        }
        if (logoutTokenClaimAccessor.getSubject() == null && logoutTokenClaimAccessor.getSessionId() == null) {
            arrayList.add(invalidLogoutToken("sub and sid claims must not both be null"));
        }
        if (logoutTokenClaimAccessor.getClaim("nonce") != null) {
            arrayList.add(invalidLogoutToken("nonce claim must not be present"));
        }
        return OAuth2TokenValidatorResult.failure(arrayList);
    }

    private static OAuth2Error invalidLogoutToken(String str) {
        return new OAuth2Error("invalid_token", str, LOGOUT_VALIDATION_URL);
    }
}
