package io.personium.plugin.auth.oidc;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.security.SignatureException;
import io.personium.plugin.base.PluginLog;
import io.personium.plugin.base.auth.AuthPlugin;
import io.personium.plugin.base.auth.AuthPluginException;
import io.personium.plugin.base.auth.AuthenticatedIdentity;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang.StringUtils;

/* loaded from: input_file:io/personium/plugin/auth/oidc/OIDCAuthPluginBase.class */
public abstract class OIDCAuthPluginBase implements AuthPlugin {
    public static final String PLUGIN_TOSTRING = "Generic OpenID Connect Authentication";
    public static final String KEY_TOKEN = "id_token";
    private OIDCTokenHandler tokenHandler;

    /* JADX INFO: Access modifiers changed from: protected */
    public OIDCAuthPluginBase(String str) throws AuthPluginException {
        this.tokenHandler = null;
        this.tokenHandler = OIDCTokenHandler.createFromOIDCConfigurationURL(str);
    }

    public String toString() {
        return PLUGIN_TOSTRING;
    }

    public String getType() {
        return "auth";
    }

    protected abstract AuthenticatedIdentity parseClaimsToAuthenticatedIdentity(Claims claims);

    protected abstract boolean isProviderClientIdTrusted(Claims claims);

    public AuthenticatedIdentity authenticate(Map<String, List<String>> map) throws AuthPluginException {
        if (map == null) {
            OidcPluginException.REQUIRED_PARAM_MISSING.create("Body");
        }
        List<String> list = map.get(KEY_TOKEN);
        if (list == null) {
            throw OidcPluginException.REQUIRED_PARAM_MISSING.create(KEY_TOKEN);
        }
        String str = list.get(0);
        if (StringUtils.isEmpty(str)) {
            throw OidcPluginException.REQUIRED_PARAM_MISSING.create(KEY_TOKEN);
        }
        try {
            Claims parseIdToken = this.tokenHandler.parseIdToken(str);
            String issuer = parseIdToken.getIssuer();
            if (issuer == null || !issuer.equals(this.tokenHandler.getIssuer())) {
                PluginLog.OIDC.INVALID_ISSUER.params(new Object[]{issuer}).writeLog();
                throw OidcPluginException.AUTHN_FAILED.create();
            }
            if (isProviderClientIdTrusted(parseIdToken)) {
                return parseClaimsToAuthenticatedIdentity(parseIdToken);
            }
            throw OidcPluginException.WRONG_AUDIENCE.create(parseIdToken.getAudience());
        } catch (ExpiredJwtException e) {
            throw OidcPluginException.EXPIRED_ID_TOKEN.create(Long.valueOf(e.getClaims().getExpiration().getTime()));
        } catch (MalformedJwtException | IllegalArgumentException e2) {
            throw OidcPluginException.INVALID_ID_TOKEN.create("malformed jwt token is passed");
        } catch (SignatureException e3) {
            throw OidcPluginException.INVALID_ID_TOKEN.create("ID Token sig value is invalid");
        } catch (Exception e4) {
            throw OidcPluginException.INVALID_ID_TOKEN.create(e4.getMessage());
        }
    }
}
