package com.evolveum.midpoint.authentication.impl.filter.oidc;

import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.springframework.security.oauth2.client.oidc.authentication.OidcIdTokenDecoderFactory;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.util.Assert;

/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.9.4-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/filter/oidc/OidcUserTokenService.class */
public class OidcUserTokenService extends DefaultOAuth2UserService {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) OidcUserTokenService.class);
    private JwtDecoderFactory<ClientRegistration> jwtDecoderFactory = new OidcIdTokenDecoderFactory();
    private static final String MISSING_USER_NAME_ATTRIBUTE_ERROR_CODE = "missing_user_name_attribute";

    @Override // org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService, org.springframework.security.oauth2.client.userinfo.OAuth2UserService
    public OAuth2User loadUser(OAuth2UserRequest oAuth2UserRequest) throws OAuth2AuthenticationException {
        Map<String, Object> claims;
        Assert.notNull(oAuth2UserRequest, "userRequest cannot be null");
        String userNameAttributeName = oAuth2UserRequest.getClientRegistration().getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName();
        if (StringUtils.isEmpty(userNameAttributeName)) {
            OAuth2Error oAuth2Error = new OAuth2Error(MISSING_USER_NAME_ATTRIBUTE_ERROR_CODE, "Missing required \"user name\" attribute name in UserInfoEndpoint for Client Registration: " + oAuth2UserRequest.getClientRegistration().getRegistrationId(), null);
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
        }
        if ((oAuth2UserRequest instanceof OidcUserRequest) && (claims = ((OidcUserRequest) oAuth2UserRequest).getIdToken().getClaims()) != null && claims.containsKey(userNameAttributeName)) {
            return new DefaultOAuth2User(null, claims, userNameAttributeName);
        }
        if (oAuth2UserRequest.getAccessToken() != null && StringUtils.isNotEmpty(oAuth2UserRequest.getAccessToken().getTokenValue())) {
            try {
                Map<String, Object> claims2 = this.jwtDecoderFactory.createDecoder(oAuth2UserRequest.getClientRegistration()).decode(oAuth2UserRequest.getAccessToken().getTokenValue()).getClaims();
                if (claims2 != null && claims2.containsKey(userNameAttributeName)) {
                    return new DefaultOAuth2User(null, claims2, userNameAttributeName);
                }
            } catch (JwtException e) {
                LOGGER.debug("Couldn't decode JWT from access token", (Throwable) e);
            }
        }
        return super.loadUser(oAuth2UserRequest);
    }

    public void setJwtDecoderFactory(JwtDecoderFactory<ClientRegistration> jwtDecoderFactory) {
        this.jwtDecoderFactory = jwtDecoderFactory;
    }
}
