package alpine.auth;

import alpine.auth.AlpineAuthenticationException;
import alpine.cache.CacheManager;
import alpine.logging.Logger;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
import java.io.IOException;
import java.text.ParseException;

/* loaded from: input_file:alpine/auth/OidcIdTokenAuthenticator.class */
class OidcIdTokenAuthenticator {
    private static final Logger LOGGER = Logger.getLogger(OidcIdTokenAuthenticator.class);
    static final String JWK_SET_CACHE_KEY = "OIDC_JWK_SET";
    private final OidcConfiguration configuration;
    private final String clientId;

    /* JADX INFO: Access modifiers changed from: package-private */
    public OidcIdTokenAuthenticator(OidcConfiguration oidcConfiguration, String str) {
        this.configuration = oidcConfiguration;
        this.clientId = str;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OidcProfile authenticate(String str, OidcProfileCreator oidcProfileCreator) throws AlpineAuthenticationException {
        try {
            SignedJWT parse = SignedJWT.parse(str);
            try {
                try {
                    IDTokenClaimsSet validate = new IDTokenValidator(new Issuer(this.configuration.getIssuer()), new ClientID(this.clientId), parse.getHeader().getAlgorithm(), resolveJwkSet()).validate(parse, (Nonce) null);
                    LOGGER.debug("ID token claims: " + validate.toJSONString());
                    return oidcProfileCreator.create(validate);
                } catch (BadJOSEException | JOSEException e) {
                    LOGGER.error("ID token validation failed", e);
                    throw new AlpineAuthenticationException(AlpineAuthenticationException.CauseType.INVALID_CREDENTIALS);
                }
            } catch (IOException | ParseException e2) {
                LOGGER.error("Resolving JWK set failed", e2);
                throw new AlpineAuthenticationException(AlpineAuthenticationException.CauseType.OTHER);
            }
        } catch (ParseException e3) {
            LOGGER.error("Parsing ID token failed", e3);
            throw new AlpineAuthenticationException(AlpineAuthenticationException.CauseType.INVALID_CREDENTIALS);
        }
    }

    JWKSet resolveJwkSet() throws IOException, ParseException {
        JWKSet jWKSet = (JWKSet) CacheManager.getInstance().get(JWKSet.class, JWK_SET_CACHE_KEY);
        if (jWKSet != null) {
            LOGGER.debug("JWK set loaded from cache");
            return jWKSet;
        }
        LOGGER.debug("Fetching JWK set from " + this.configuration.getJwksUri());
        JWKSet load = JWKSet.load(this.configuration.getJwksUri().toURL());
        LOGGER.debug("Storing JWK set in cache");
        CacheManager.getInstance().put(JWK_SET_CACHE_KEY, load);
        return load;
    }
}
