package org.apache.cxf.rs.security.oidc.rp;

import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oidc.common.UserInfo;
import org.apache.cxf.rs.security.oidc.common.UserToken;

/* loaded from: input_file:org/apache/cxf/rs/security/oidc/rp/UserInfoValidator.class */
public class UserInfoValidator extends AbstractTokenValidator {
    private boolean encryptedOnly;

    public UserInfo getUserInfo(WebClient webClient, UserToken userToken) {
        return getProfile(webClient, userToken, false);
    }

    public UserInfo getProfile(WebClient webClient, UserToken userToken, boolean z) {
        if (z) {
            return getUserInfoFromJwt((String) webClient.get(String.class), userToken);
        }
        UserInfo userInfo = (UserInfo) webClient.get(UserInfo.class);
        validateUserInfo(userInfo, userToken);
        return userInfo;
    }

    public UserInfo getUserInfoFromJwt(String str, UserToken userToken) {
        return getUserInfoFromJwt(getUserInfoJwt(str, userToken), userToken);
    }

    public UserInfo getUserInfoFromJwt(JwtToken jwtToken, UserToken userToken) {
        UserInfo userInfo = new UserInfo(jwtToken.getClaims().asMap());
        validateUserInfo(userInfo, userToken);
        return userInfo;
    }

    public JwtToken getUserInfoJwt(String str, UserToken userToken) {
        return getJwtToken(str, userToken.getAudience(), (String) userToken.getProperty("kid"), this.encryptedOnly);
    }

    public void validateUserInfo(UserInfo userInfo, UserToken userToken) {
        validateJwtClaims(userInfo, userToken.getAudience(), false);
        if (!userToken.getSubject().equals(userInfo.getSubject())) {
            throw new SecurityException("Invalid subject");
        }
    }

    public void setEncryptedOnly(boolean z) {
        this.encryptedOnly = z;
    }
}
