package org.springframework.security.oauth2.client.oidc.authentication;

import java.time.Instant;
import java.util.List;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.util.CollectionUtils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-5.1.3.RELEASE.jar:org/springframework/security/oauth2/client/oidc/authentication/OidcTokenValidator.class */
public final class OidcTokenValidator {
    private static final String INVALID_ID_TOKEN_ERROR_CODE = "invalid_id_token";

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void validateIdToken(OidcIdToken oidcIdToken, ClientRegistration clientRegistration) {
        if (oidcIdToken.getIssuer() == null) {
            throwInvalidIdTokenException();
        }
        if (oidcIdToken.getSubject() == null) {
            throwInvalidIdTokenException();
        }
        List<String> audience = oidcIdToken.getAudience();
        if (CollectionUtils.isEmpty(audience)) {
            throwInvalidIdTokenException();
        }
        Instant expiresAt = oidcIdToken.getExpiresAt();
        if (expiresAt == null) {
            throwInvalidIdTokenException();
        }
        Instant issuedAt = oidcIdToken.getIssuedAt();
        if (issuedAt == null) {
            throwInvalidIdTokenException();
        }
        if (!audience.contains(clientRegistration.getClientId())) {
            throwInvalidIdTokenException();
        }
        String authorizedParty = oidcIdToken.getAuthorizedParty();
        if (audience.size() > 1 && authorizedParty == null) {
            throwInvalidIdTokenException();
        }
        if (authorizedParty != null && !authorizedParty.equals(clientRegistration.getClientId())) {
            throwInvalidIdTokenException();
        }
        Instant now = Instant.now();
        if (!now.isBefore(expiresAt)) {
            throwInvalidIdTokenException();
        }
        if (issuedAt.isAfter(now.plusSeconds(30L))) {
            throwInvalidIdTokenException();
        }
    }

    private static void throwInvalidIdTokenException() {
        OAuth2Error oAuth2Error = new OAuth2Error(INVALID_ID_TOKEN_ERROR_CODE);
        throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
    }

    private OidcTokenValidator() {
    }
}
