package org.apache.cxf.rs.security.oidc.idp;

import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.apache.cxf.rs.security.jose.jwt.JoseJwtProducer;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.OAuthError;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService;
import org.apache.cxf.rs.security.oidc.common.IdToken;
import org.apache.cxf.rs.security.oidc.utils.OidcUtils;

/* loaded from: input_file:org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.class */
public class OidcImplicitService extends ImplicitGrantService {
    private boolean skipAuthorizationWithOidcScope;
    private JoseJwtProducer idTokenHandler;
    private IdTokenProvider idTokenProvider;

    public OidcImplicitService() {
        super(new HashSet(Arrays.asList("id_token", OidcUtils.ID_TOKEN_AT_RESPONSE_TYPE)));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public OidcImplicitService(Set<String> set, String str) {
        super(set, str);
    }

    protected boolean canAccessTokenBeReturned(String str) {
        return OidcUtils.ID_TOKEN_AT_RESPONSE_TYPE.equals(str);
    }

    protected Response startAuthorization(MultivaluedMap<String, String> multivaluedMap, UserSubject userSubject, Client client) {
        if (multivaluedMap.getFirst(IdToken.NONCE_CLAIM) == null) {
            throw new OAuthServiceException(new OAuthError("invalid_request"));
        }
        return super.startAuthorization(multivaluedMap, userSubject, client);
    }

    protected boolean canAuthorizationBeSkipped(Client client, UserSubject userSubject, List<String> list, List<OAuthPermission> list2) {
        return list.size() == 1 && list2.size() == 1 && this.skipAuthorizationWithOidcScope && OidcUtils.OPENID_SCOPE.equals(list.get(0));
    }

    public void setSkipAuthorizationWithOidcScope(boolean z) {
        this.skipAuthorizationWithOidcScope = z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public StringBuilder prepareGrant(OAuthRedirectionState oAuthRedirectionState, Client client, List<String> list, List<String> list2, UserSubject userSubject, ServerAccessToken serverAccessToken) {
        if (canAccessTokenBeReturned(oAuthRedirectionState.getResponseType())) {
            return super.prepareGrant(oAuthRedirectionState, client, list, list2, userSubject, serverAccessToken);
        }
        StringBuilder uriWithFragment = getUriWithFragment(oAuthRedirectionState.getRedirectUri());
        String processedIdToken = getProcessedIdToken(oAuthRedirectionState, userSubject, getApprovedScope(list, list2));
        if (processedIdToken != null) {
            uriWithFragment.append("id_token").append("=").append(processedIdToken);
        }
        finalizeResponse(uriWithFragment, oAuthRedirectionState);
        return uriWithFragment;
    }

    private String getProcessedIdToken(OAuthRedirectionState oAuthRedirectionState, UserSubject userSubject, List<String> list) {
        if (userSubject.getProperties().containsKey("id_token")) {
            return (String) userSubject.getProperties().get("id_token");
        }
        if (this.idTokenProvider != null) {
            IdToken idToken = this.idTokenProvider.getIdToken(oAuthRedirectionState.getClientId(), userSubject, list);
            idToken.setNonce(oAuthRedirectionState.getNonce());
            return processIdToken(idToken);
        }
        if (!(userSubject instanceof OidcUserSubject)) {
            return null;
        }
        IdToken idToken2 = new IdToken(((OidcUserSubject) userSubject).getIdToken());
        idToken2.setAudience(oAuthRedirectionState.getClientId());
        idToken2.setAuthorizedParty(oAuthRedirectionState.getClientId());
        idToken2.setNonce(oAuthRedirectionState.getNonce());
        return processIdToken(idToken2);
    }

    protected OAuthRedirectionState recreateRedirectionStateFromParams(MultivaluedMap<String, String> multivaluedMap) {
        OAuthRedirectionState recreateRedirectionStateFromParams = super.recreateRedirectionStateFromParams(multivaluedMap);
        OidcUtils.setStateClaimsProperty(recreateRedirectionStateFromParams, multivaluedMap);
        return recreateRedirectionStateFromParams;
    }

    protected AccessTokenRegistration createTokenRegistration(OAuthRedirectionState oAuthRedirectionState, Client client, List<String> list, List<String> list2, UserSubject userSubject) {
        AccessTokenRegistration createTokenRegistration = super.createTokenRegistration(oAuthRedirectionState, client, list, list2, userSubject);
        createTokenRegistration.getExtraProperties().putAll(oAuthRedirectionState.getExtraProperties());
        return createTokenRegistration;
    }

    protected String processIdToken(IdToken idToken) {
        return (this.idTokenHandler == null ? new JoseJwtProducer() : this.idTokenHandler).processJwt(new JwtToken(idToken));
    }

    public void setIdTokenJoseHandler(JoseJwtProducer joseJwtProducer) {
        this.idTokenHandler = joseJwtProducer;
    }

    public void setIdTokenProvider(IdTokenProvider idTokenProvider) {
        this.idTokenProvider = idTokenProvider;
    }
}
