package io.quarkus.oidc.runtime;

import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.oidc.IdToken;
import io.quarkus.oidc.IdTokenCredential;
import io.quarkus.oidc.OIDCException;
import io.quarkus.security.credential.TokenCredential;
import io.quarkus.security.identity.SecurityIdentity;
import io.smallrye.jwt.auth.cdi.NullJsonWebToken;
import javax.annotation.Priority;
import javax.enterprise.context.RequestScoped;
import javax.enterprise.inject.Alternative;
import javax.enterprise.inject.Produces;
import javax.inject.Inject;
import org.eclipse.microprofile.jwt.Claims;
import org.eclipse.microprofile.jwt.JsonWebToken;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;

@Alternative
@Priority(2)
@RequestScoped
/* loaded from: input_file:io/quarkus/oidc/runtime/OidcJsonWebTokenProducer.class */
public class OidcJsonWebTokenProducer {

    @Inject
    SecurityIdentity identity;

    @RequestScoped
    @Produces
    JsonWebToken currentAccessToken() {
        return getTokenCredential(AccessTokenCredential.class);
    }

    @RequestScoped
    @Produces
    @IdToken
    JsonWebToken currentIdToken() {
        return getTokenCredential(IdTokenCredential.class);
    }

    private JsonWebToken getTokenCredential(Class<? extends TokenCredential> cls) {
        if (this.identity.isAnonymous()) {
            return new NullJsonWebToken();
        }
        if ((this.identity.getPrincipal() instanceof OidcJwtCallerPrincipal) && ((OidcJwtCallerPrincipal) this.identity.getPrincipal()).getCredential().getClass() == cls) {
            return (JsonWebToken) this.identity.getPrincipal();
        }
        TokenCredential tokenCredential = (TokenCredential) this.identity.getCredential(cls);
        if (tokenCredential == null) {
            throw new OIDCException("Current identity is not associated with an " + (cls == AccessTokenCredential.class ? "access" : "ID") + " token");
        }
        if ((tokenCredential instanceof AccessTokenCredential) && ((AccessTokenCredential) tokenCredential).isOpaque()) {
            throw new OIDCException("Opaque access token can not be converted to JsonWebToken");
        }
        try {
            JwtClaims processToClaims = new JwtConsumerBuilder().setSkipSignatureVerification().setSkipAllValidators().build().processToClaims(tokenCredential.getToken());
            processToClaims.setClaim(Claims.raw_token.name(), tokenCredential.getToken());
            return new OidcJwtCallerPrincipal(processToClaims, tokenCredential);
        } catch (InvalidJwtException e) {
            throw new OIDCException(e);
        }
    }
}
