package org.apache.cxf.rs.security.oidc.rp;

import java.util.Map;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.client.Consumer;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.rs.security.oidc.common.IdToken;
import org.apache.cxf.rs.security.oidc.utils.OidcUtils;

/* loaded from: input_file:org/apache/cxf/rs/security/oidc/rp/IdTokenReader.class */
public class IdTokenReader extends OidcClaimsValidator {
    private boolean requireAtHash = true;
    private boolean requireCodeHash;

    public IdToken getIdToken(ClientAccessToken clientAccessToken, String str, Consumer consumer) {
        return getIdTokenFromJwt(getIdJwtToken(clientAccessToken, str, consumer));
    }

    public IdToken getIdToken(ClientAccessToken clientAccessToken, Consumer consumer) {
        return getIdToken(clientAccessToken, null, consumer);
    }

    public IdToken getIdToken(String str, Consumer consumer) {
        return getIdTokenFromJwt(getIdJwtToken(str, consumer));
    }

    public JwtToken getIdJwtToken(ClientAccessToken clientAccessToken, String str, Consumer consumer) {
        JwtToken idJwtToken = getIdJwtToken((String) clientAccessToken.getParameters().get("id_token"), consumer);
        OidcUtils.validateAccessTokenHash(clientAccessToken, idJwtToken, this.requireAtHash);
        OidcUtils.validateCodeHash(str, idJwtToken, this.requireCodeHash);
        return idJwtToken;
    }

    public JwtToken getIdJwtToken(ClientAccessToken clientAccessToken, Consumer consumer) {
        return getIdJwtToken(clientAccessToken, null, consumer);
    }

    public JwtToken getIdJwtToken(String str, Consumer consumer) {
        JwtToken jwtToken = getJwtToken(str, consumer.getClientSecret());
        validateJwtClaims(jwtToken.getClaims(), consumer.getClientId(), true);
        return jwtToken;
    }

    private IdToken getIdTokenFromJwt(JwtToken jwtToken) {
        return new IdToken((Map<String, Object>) jwtToken.getClaims().asMap());
    }

    public void setRequireAccessTokenHash(boolean z) {
        this.requireAtHash = z;
    }

    public void setRequireCodeHash(boolean z) {
        this.requireCodeHash = z;
    }
}
