package org.springframework.security.oauth2.server.authorization.authentication;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.util.Assert;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-authorization-server-1.3.2.jar:org/springframework/security/oauth2/server/authorization/authentication/JwtClientAssertionAuthenticationProvider.class */
public final class JwtClientAssertionAuthenticationProvider implements AuthenticationProvider {
    private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1";
    private static final ClientAuthenticationMethod JWT_CLIENT_ASSERTION_AUTHENTICATION_METHOD = new ClientAuthenticationMethod("urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
    private final Log logger = LogFactory.getLog(getClass());
    private final RegisteredClientRepository registeredClientRepository;
    private final CodeVerifierAuthenticator codeVerifierAuthenticator;
    private JwtDecoderFactory<RegisteredClient> jwtDecoderFactory;

    public JwtClientAssertionAuthenticationProvider(RegisteredClientRepository registeredClientRepository, OAuth2AuthorizationService oAuth2AuthorizationService) {
        Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null");
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        this.registeredClientRepository = registeredClientRepository;
        this.codeVerifierAuthenticator = new CodeVerifierAuthenticator(oAuth2AuthorizationService);
        this.jwtDecoderFactory = new JwtClientAssertionDecoderFactory();
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken = (OAuth2ClientAuthenticationToken) authentication;
        if (!JWT_CLIENT_ASSERTION_AUTHENTICATION_METHOD.equals(oAuth2ClientAuthenticationToken.getClientAuthenticationMethod())) {
            return null;
        }
        RegisteredClient findByClientId = this.registeredClientRepository.findByClientId(oAuth2ClientAuthenticationToken.getPrincipal().toString());
        if (findByClientId == null) {
            throwInvalidClient("client_id");
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Retrieved registered client");
        }
        if (!findByClientId.getClientAuthenticationMethods().contains(ClientAuthenticationMethod.PRIVATE_KEY_JWT) && !findByClientId.getClientAuthenticationMethods().contains(ClientAuthenticationMethod.CLIENT_SECRET_JWT)) {
            throwInvalidClient("authentication_method");
        }
        if (oAuth2ClientAuthenticationToken.getCredentials() == null) {
            throwInvalidClient("credentials");
        }
        Jwt jwt = null;
        try {
            jwt = this.jwtDecoderFactory.createDecoder(findByClientId).decode(oAuth2ClientAuthenticationToken.getCredentials().toString());
        } catch (JwtException e) {
            throwInvalidClient(OAuth2ParameterNames.CLIENT_ASSERTION, e);
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Validated client authentication parameters");
        }
        this.codeVerifierAuthenticator.authenticateIfAvailable(oAuth2ClientAuthenticationToken, findByClientId);
        ClientAuthenticationMethod clientAuthenticationMethod = findByClientId.getClientSettings().getTokenEndpointAuthenticationSigningAlgorithm() instanceof SignatureAlgorithm ? ClientAuthenticationMethod.PRIVATE_KEY_JWT : ClientAuthenticationMethod.CLIENT_SECRET_JWT;
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Authenticated client assertion");
        }
        return new OAuth2ClientAuthenticationToken(findByClientId, clientAuthenticationMethod, jwt);
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return OAuth2ClientAuthenticationToken.class.isAssignableFrom(cls);
    }

    public void setJwtDecoderFactory(JwtDecoderFactory<RegisteredClient> jwtDecoderFactory) {
        Assert.notNull(jwtDecoderFactory, "jwtDecoderFactory cannot be null");
        this.jwtDecoderFactory = jwtDecoderFactory;
    }

    private static void throwInvalidClient(String str) {
        throwInvalidClient(str, null);
    }

    private static void throwInvalidClient(String str, Throwable th) {
        OAuth2Error oAuth2Error = new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT, "Client authentication failed: " + str, ERROR_URI);
        throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString(), th);
    }
}
