package org.hawkular.accounts.common;

import java.io.IOException;
import java.net.URL;
import java.net.URLEncoder;
import java.util.Set;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import org.keycloak.VerificationException;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.representations.AccessToken;

@ApplicationScoped
/* loaded from: input_file:WEB-INF/lib/hawkular-accounts-common-1.0.14.Final.jar:org/hawkular/accounts/common/TokenVerifier.class */
public class TokenVerifier {

    @Inject
    @AuthServerUrl
    private String baseUrl;

    @Inject
    @RealmName
    private String realm;

    @Inject
    @HostSynonyms
    private Set<String> hostSynonyms;

    @Inject
    AuthServerRequestExecutor executor;

    public String verify(String str) throws Exception {
        try {
            try {
                URL url = new URL(((AccessToken) new JWSInput(str).readJsonContent(AccessToken.class)).getIssuer());
                URL url2 = new URL(this.baseUrl);
                if (!url.getHost().equalsIgnoreCase(url2.getHost()) && this.hostSynonyms.contains(url.getHost())) {
                    url2 = new URL(url.getProtocol(), url.getHost(), url.getPort(), url2.getPath());
                }
                return this.executor.execute(url2.toString() + "/realms/" + URLEncoder.encode(this.realm, "UTF-8") + "/protocol/openid-connect/validate", "access_token=" + URLEncoder.encode(str, "UTF-8"), "GET");
            } catch (IOException e) {
                throw new VerificationException("Couldn't parse token signature", e);
            }
        } catch (Exception e2) {
            throw new VerificationException("Couldn't parse token", e2);
        }
    }
}
