package org.springframework.security.oauth2.client.oidc.authentication.logout;

import java.time.Instant;
import java.util.Collection;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.function.Consumer;
import org.springframework.security.oauth2.core.AbstractOAuth2Token;
import org.springframework.util.Assert;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-6.5.0.jar:org/springframework/security/oauth2/client/oidc/authentication/logout/OidcLogoutToken.class */
public class OidcLogoutToken extends AbstractOAuth2Token implements LogoutTokenClaimAccessor {
    private static final long serialVersionUID = -5705409698230609696L;
    private static final String BACKCHANNEL_LOGOUT_TOKEN_EVENT_NAME = "http://schemas.openid.net/event/backchannel-logout";
    private final Map<String, Object> claims;

    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-6.5.0.jar:org/springframework/security/oauth2/client/oidc/authentication/logout/OidcLogoutToken$Builder.class */
    public static final class Builder {
        private String tokenValue;
        private final Map<String, Object> claims = new LinkedHashMap();

        private Builder(String str) {
            this.tokenValue = str;
            this.claims.put("events", Collections.singletonMap("http://schemas.openid.net/event/backchannel-logout", Collections.emptyMap()));
        }

        public Builder tokenValue(String str) {
            this.tokenValue = str;
            return this;
        }

        public Builder claim(String str, Object obj) {
            this.claims.put(str, obj);
            return this;
        }

        public Builder claims(Consumer<Map<String, Object>> consumer) {
            consumer.accept(this.claims);
            return this;
        }

        public Builder audience(Collection<String> collection) {
            return claim("aud", collection);
        }

        public Builder issuedAt(Instant instant) {
            return claim("iat", instant);
        }

        public Builder issuer(String str) {
            return claim("iss", str);
        }

        public Builder jti(String str) {
            return claim("jti", str);
        }

        public Builder subject(String str) {
            return claim("sub", str);
        }

        public Builder events(Map<String, Object> map) {
            return claim("events", map);
        }

        public Builder sessionId(String str) {
            return claim("sid", str);
        }

        public OidcLogoutToken build() {
            Assert.notNull(this.claims.get("iss"), "issuer must not be null");
            Assert.isInstanceOf((Class<?>) Collection.class, this.claims.get("aud"), "audience must be a collection");
            Assert.notEmpty((Collection<?>) this.claims.get("aud"), "audience must not be empty");
            Assert.notNull(this.claims.get("jti"), "jti must not be null");
            Assert.isTrue(hasLogoutTokenIdentifyingMember(), "logout token must contain an events claim that contains a member called 'http://schemas.openid.net/event/backchannel-logout' whose value is an empty Map");
            Assert.isNull(this.claims.get("nonce"), "logout token must not contain a nonce claim");
            return new OidcLogoutToken(this.tokenValue, toInstant(this.claims.get("iat")), this.claims);
        }

        private boolean hasLogoutTokenIdentifyingMember() {
            Object obj = this.claims.get("events");
            if (!(obj instanceof Map)) {
                return false;
            }
            Object obj2 = ((Map) obj).get("http://schemas.openid.net/event/backchannel-logout");
            if (obj2 instanceof Map) {
                return ((Map) obj2).isEmpty();
            }
            return false;
        }

        private Instant toInstant(Object obj) {
            if (obj != null) {
                Assert.isInstanceOf((Class<?>) Instant.class, obj, "timestamps must be of type Instant");
            }
            return (Instant) obj;
        }
    }

    OidcLogoutToken(String str, Instant instant, Map<String, Object> map) {
        super(str, instant, Instant.MAX);
        this.claims = Collections.unmodifiableMap(map);
        Assert.notNull(map, "claims must not be null");
    }

    @Override // org.springframework.security.oauth2.core.ClaimAccessor
    public Map<String, Object> getClaims() {
        return this.claims;
    }

    public static Builder withTokenValue(String str) {
        return new Builder(str);
    }
}
