package org.apache.cxf.rs.security.oidc.rp;

import org.apache.cxf.rs.security.oauth2.client.ClientTokenContext;
import org.apache.cxf.rs.security.oauth2.client.OAuthInvoker;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oidc.common.IdToken;

/* loaded from: input_file:org/apache/cxf/rs/security/oidc/rp/OidcInvoker.class */
public class OidcInvoker extends OAuthInvoker {
    private IdTokenReader idTokenReader;

    protected void validateRefreshedToken(ClientTokenContext clientTokenContext, ClientAccessToken clientAccessToken) {
        if (clientAccessToken.getParameters().containsKey("id_token")) {
            IdToken idToken = this.idTokenReader.getIdToken(clientAccessToken, getConsumer());
            OidcClientTokenContextImpl oidcClientTokenContextImpl = (OidcClientTokenContextImpl) clientTokenContext;
            IdToken idToken2 = oidcClientTokenContextImpl.getIdToken();
            if (!idToken.getIssuer().equals(idToken2.getIssuer())) {
                throw new OAuthServiceException("Invalid id token issuer");
            }
            if (!idToken.getSubject().equals(idToken2.getSubject())) {
                throw new OAuthServiceException("Invalid id token subject");
            }
            if (!idToken.getAudiences().containsAll(idToken2.getAudiences())) {
                throw new OAuthServiceException("Invalid id token audience(s)");
            }
            Long authenticationTime = idToken.getAuthenticationTime();
            if (authenticationTime != null && !authenticationTime.equals(idToken2.getAuthenticationTime())) {
                throw new OAuthServiceException("Invalid id token auth_time");
            }
            String authorizedParty = idToken.getAuthorizedParty();
            String authorizedParty2 = idToken2.getAuthorizedParty();
            if ((authorizedParty != null && authorizedParty2 == null) || ((authorizedParty == null && authorizedParty2 != null) || (authorizedParty != null && authorizedParty2 != null && !authorizedParty.equals(authorizedParty2)))) {
                throw new OAuthServiceException("Invalid id token authorized party");
            }
            if (idToken.getIssuedAt().longValue() < idToken2.getIssuedAt().longValue()) {
                throw new OAuthServiceException("Invalid id token issued time");
            }
            oidcClientTokenContextImpl.setIdToken(idToken);
        }
    }

    public void setIdTokenReader(IdTokenReader idTokenReader) {
        this.idTokenReader = idTokenReader;
    }
}
