package org.keycloak.adapters.rotation;

import java.security.PublicKey;
import org.jboss.logging.Logger;
import org.keycloak.TokenVerifier;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.common.VerificationException;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.JsonWebToken;

/* loaded from: input_file:BOOT-INF/lib/keycloak-adapter-core-9.0.5.redhat-00002.jar:org/keycloak/adapters/rotation/AdapterTokenVerifier.class */
public class AdapterTokenVerifier {
    private static final Logger log = Logger.getLogger((Class<?>) AdapterTokenVerifier.class);

    /* loaded from: input_file:BOOT-INF/lib/keycloak-adapter-core-9.0.5.redhat-00002.jar:org/keycloak/adapters/rotation/AdapterTokenVerifier$VerifiedTokens.class */
    public static class VerifiedTokens {
        private final AccessToken accessToken;
        private final IDToken idToken;

        public VerifiedTokens(AccessToken accessToken, IDToken iDToken) {
            this.accessToken = accessToken;
            this.idToken = iDToken;
        }

        public AccessToken getAccessToken() {
            return this.accessToken;
        }

        public IDToken getIdToken() {
            return this.idToken;
        }
    }

    public static AccessToken verifyToken(String str, KeycloakDeployment keycloakDeployment) throws VerificationException {
        TokenVerifier createVerifier = createVerifier(str, keycloakDeployment, true, AccessToken.class);
        if (keycloakDeployment.isVerifyTokenAudience()) {
            createVerifier.audience(keycloakDeployment.getResourceName());
        }
        return (AccessToken) createVerifier.verify().getToken();
    }

    public static VerifiedTokens verifyTokens(String str, String str2, KeycloakDeployment keycloakDeployment) throws VerificationException {
        AccessToken accessToken = (AccessToken) createVerifier(str, keycloakDeployment, true, AccessToken.class).verify().getToken();
        if (str2 == null) {
            return new VerifiedTokens(accessToken, null);
        }
        IDToken iDToken = (IDToken) TokenVerifier.create(str2, IDToken.class).getToken();
        TokenVerifier createWithoutSignature = TokenVerifier.createWithoutSignature(iDToken);
        createWithoutSignature.audience(keycloakDeployment.getResourceName());
        createWithoutSignature.issuedFor(keycloakDeployment.getResourceName());
        createWithoutSignature.verify();
        return new VerifiedTokens(accessToken, iDToken);
    }

    public static <T extends JsonWebToken> TokenVerifier<T> createVerifier(String str, KeycloakDeployment keycloakDeployment, boolean z, Class<T> cls) throws VerificationException {
        TokenVerifier<T> create = TokenVerifier.create(str, cls);
        if (z) {
            create.withDefaultChecks().realmUrl(keycloakDeployment.getRealmInfoUrl());
        }
        create.publicKey(getPublicKey(create.getHeader().getKeyId(), keycloakDeployment));
        return create;
    }

    private static PublicKey getPublicKey(String str, KeycloakDeployment keycloakDeployment) throws VerificationException {
        PublicKey publicKey = keycloakDeployment.getPublicKeyLocator().getPublicKey(str, keycloakDeployment);
        if (publicKey != null) {
            return publicKey;
        }
        log.errorf("Didn't find publicKey for kid: %s", str);
        throw new VerificationException("Didn't find publicKey for specified kid");
    }
}
