package com.okta.spring.boot.oauth;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtIssuerValidator;
import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/okta/spring/boot/oauth/TokenUtil.class */
public final class TokenUtil {
    private static final Logger log = LoggerFactory.getLogger(TokenUtil.class);
    private static final OAuth2Error INVALID_AUDIENCE = new OAuth2Error("invalid_request", "This aud claim is not equal to the configured audience", "https://tools.ietf.org/html/rfc6750#section-3.1");

    private TokenUtil() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Collection<? extends GrantedAuthority> tokenScopesToAuthorities(OAuth2AccessToken oAuth2AccessToken) {
        return (oAuth2AccessToken == null || oAuth2AccessToken.getScopes() == null) ? Collections.emptySet() : (Collection) oAuth2AccessToken.getScopes().stream().map(str -> {
            return "SCOPE_" + str;
        }).map(SimpleGrantedAuthority::new).collect(Collectors.toSet());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Collection<? extends GrantedAuthority> tokenClaimsToAuthorities(Map<String, Object> map, String str) {
        if (!CollectionUtils.isEmpty(map) && StringUtils.hasText(str)) {
            Object obj = map.get(str);
            if (obj instanceof Collection) {
                return (Collection) ((Collection) obj).stream().map(SimpleGrantedAuthority::new).collect(Collectors.toSet());
            }
            if (obj != null) {
                log.debug("Could not extract authorities from claim '{}', value was not a collection", str);
            }
        }
        return Collections.emptySet();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static OAuth2TokenValidator<Jwt> jwtValidator(String str, String str2) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new JwtTimestampValidator());
        arrayList.add(new JwtIssuerValidator(str));
        arrayList.add(jwt -> {
            HashSet hashSet = new HashSet();
            hashSet.add(str2);
            return !Collections.disjoint(jwt.getAudience(), hashSet) ? OAuth2TokenValidatorResult.success() : OAuth2TokenValidatorResult.failure(new OAuth2Error[]{INVALID_AUDIENCE});
        });
        return new DelegatingOAuth2TokenValidator(arrayList);
    }
}
