package com.nimbusds.openid.connect.provider.spi.grants.jwt.selfissued.handler;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.oauth2.sdk.GeneralException;
import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Subject;
import com.nimbusds.oauth2.sdk.util.CollectionUtils;
import com.nimbusds.openid.connect.provider.spi.InitContext;
import com.nimbusds.openid.connect.provider.spi.grants.AccessTokenSpec;
import com.nimbusds.openid.connect.provider.spi.grants.ClaimsSpec;
import com.nimbusds.openid.connect.provider.spi.grants.IDTokenSpec;
import com.nimbusds.openid.connect.provider.spi.grants.SelfIssuedAssertionAuthorization;
import com.nimbusds.openid.connect.provider.spi.grants.SelfIssuedJWTGrantHandler;
import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import java.io.InputStream;
import java.util.HashSet;
import java.util.Properties;

/* loaded from: input_file:com/nimbusds/openid/connect/provider/spi/grants/jwt/selfissued/handler/SimpleSelfIssuedJWTGrantHandler.class */
public class SimpleSelfIssuedJWTGrantHandler implements SelfIssuedJWTGrantHandler {
    public static final String CONFIG_FILE_PATH = "/WEB-INF/selfIssuedJWTBearerHandler.properties";
    private Configuration config;
    private ClientMetadataFilter clientMetadataFilter;

    private static Configuration loadConfiguration(InitContext initContext) throws Exception {
        Properties properties = new Properties();
        InputStream resourceAsStream = initContext.getResourceAsStream(CONFIG_FILE_PATH);
        if (resourceAsStream != null) {
            properties.load(resourceAsStream);
        }
        return new Configuration(properties);
    }

    public void init(InitContext initContext) throws Exception {
        Loggers.MAIN.info("[SJH0000] Initializing self-issued JWT bearer grant handler...");
        this.config = loadConfiguration(initContext);
        this.config.log();
        if (this.config.enable) {
            this.clientMetadataFilter = new ClientMetadataFilter(this.config.accessToken.includeClientMetadataFields);
        }
    }

    public Configuration getConfiguration() {
        return this.config;
    }

    public GrantType getGrantType() {
        return GrantType.JWT_BEARER;
    }

    public boolean isEnabled() {
        return this.config.enable;
    }

    public SelfIssuedAssertionAuthorization processSelfIssuedGrant(JWTClaimsSet jWTClaimsSet, Scope scope, ClientID clientID, OIDCClientMetadata oIDCClientMetadata) throws GeneralException {
        Scope scope2;
        Loggers.TOKEN_ENDPOINT.debug("[SJH0002] Self-issued JWT bearer grant handler: Received request from client_id={} with scope={}", clientID, scope);
        Scope scope3 = oIDCClientMetadata.getScope();
        if (CollectionUtils.isEmpty(scope3)) {
            throw new GeneralException("No registered scopes for client", OAuth2Error.INVALID_SCOPE.setDescription("No registered scopes for client"));
        }
        if (CollectionUtils.isEmpty(scope)) {
            scope2 = scope3;
        } else {
            scope2 = scope;
            scope2.retainAll(scope3);
            if (scope2.isEmpty()) {
                throw new GeneralException("None of the requested scope values are permitted for this client", OAuth2Error.INVALID_SCOPE.setDescription("None of the requested scope values are permitted for this client"));
            }
        }
        return new SelfIssuedAssertionAuthorization(new Subject(jWTClaimsSet.getSubject()), scope2, new AccessTokenSpec(this.config.accessToken.lifetime, this.config.accessToken.audienceList, this.config.accessToken.encoding, this.config.accessToken.encrypt), IDTokenSpec.NONE, resolveOpenIDClaims(scope2), this.clientMetadataFilter.filter(oIDCClientMetadata));
    }

    public static ClaimsSpec resolveOpenIDClaims(Scope scope) {
        HashSet hashSet = new HashSet();
        if (scope.contains(OIDCScopeValue.EMAIL)) {
            hashSet.addAll(OIDCScopeValue.EMAIL.getClaimNames());
        }
        if (scope.contains(OIDCScopeValue.PHONE)) {
            hashSet.addAll(OIDCScopeValue.PHONE.getClaimNames());
        }
        if (scope.contains(OIDCScopeValue.PROFILE)) {
            hashSet.addAll(OIDCScopeValue.PROFILE.getClaimNames());
        }
        if (scope.contains(OIDCScopeValue.ADDRESS)) {
            hashSet.addAll(OIDCScopeValue.ADDRESS.getClaimNames());
        }
        return !hashSet.isEmpty() ? new ClaimsSpec(hashSet) : ClaimsSpec.NONE;
    }

    public void shutdown() {
        Loggers.MAIN.info("[SJH0003] Shut down self-issued JWT bearer grant handler");
    }
}
