package com.nimbusds.oauth2.sdk.auth;

import com.nimbusds.common.contenttype.ContentType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.SerializeException;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.util.MultivaluedMapUtils;
import com.nimbusds.oauth2.sdk.util.URLUtils;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import p919.C30256;

/* loaded from: classes9.dex */
public abstract class JWTAuthentication extends ClientAuthentication {
    public static final String CLIENT_ASSERTION_TYPE = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
    private final SignedJWT clientAssertion;
    private final JWTAuthenticationClaimsSet jwtAuthClaimsSet;

    public JWTAuthentication(ClientAuthenticationMethod clientAuthenticationMethod, SignedJWT signedJWT) {
        super(clientAuthenticationMethod, parseClientID(signedJWT));
        if (!signedJWT.getState().equals(JWSObject.State.SIGNED)) {
            throw new IllegalArgumentException("The client assertion JWT must be signed");
        }
        this.clientAssertion = signedJWT;
        try {
            this.jwtAuthClaimsSet = JWTAuthenticationClaimsSet.parse(signedJWT.getJWTClaimsSet());
        } catch (Exception e) {
            throw new IllegalArgumentException(e.getMessage(), e);
        }
    }

    public static void ensureClientAssertionType(Map<String, List<String>> map) throws ParseException {
        String str = (String) MultivaluedMapUtils.getFirstValue(map, "client_assertion_type");
        if (str == null) {
            throw new ParseException("Missing client_assertion_type parameter");
        }
        if (!str.equals("urn:ietf:params:oauth:client-assertion-type:jwt-bearer")) {
            throw new ParseException("Invalid client_assertion_type parameter, must be urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        }
    }

    public static JWTAuthentication parse(HTTPRequest hTTPRequest) throws ParseException {
        hTTPRequest.ensureMethod(HTTPRequest.Method.POST);
        hTTPRequest.ensureEntityContentType(ContentType.APPLICATION_URLENCODED);
        String query = hTTPRequest.getQuery();
        if (query == null) {
            throw new ParseException("Missing HTTP POST request entity body");
        }
        Map<String, List<String>> parseParameters = URLUtils.parseParameters(query);
        JWSAlgorithm algorithm = parseClientAssertion(parseParameters).getHeader().getAlgorithm();
        if (ClientSecretJWT.supportedJWAs().contains(algorithm)) {
            return ClientSecretJWT.parse(parseParameters);
        }
        if (PrivateKeyJWT.supportedJWAs().contains(algorithm)) {
            return PrivateKeyJWT.parse(parseParameters);
        }
        throw new ParseException("Unsupported signed JWT algorithm: " + algorithm);
    }

    public static SignedJWT parseClientAssertion(Map<String, List<String>> map) throws ParseException {
        String str = (String) MultivaluedMapUtils.getFirstValue(map, "client_assertion");
        if (str == null) {
            throw new ParseException("Missing client_assertion parameter");
        }
        try {
            return SignedJWT.parse(str);
        } catch (java.text.ParseException e) {
            throw new ParseException(C30256.m129282(e, new StringBuilder("Invalid client_assertion JWT: ")), e);
        }
    }

    private static ClientID parseClientID(SignedJWT signedJWT) {
        try {
            String subject = signedJWT.getJWTClaimsSet().getSubject();
            String issuer = signedJWT.getJWTClaimsSet().getIssuer();
            if (subject == null) {
                throw new IllegalArgumentException("Missing subject in client JWT assertion");
            }
            if (issuer == null) {
                throw new IllegalArgumentException("Missing issuer in client JWT assertion");
            }
            if (subject.equals(issuer)) {
                return new ClientID(subject);
            }
            throw new IllegalArgumentException("Issuer and subject in client JWT assertion must designate the same client identifier");
        } catch (java.text.ParseException e) {
            throw new IllegalArgumentException(e.getMessage(), e);
        }
    }

    public static ClientID parseClientID(Map<String, List<String>> map) {
        String str = (String) MultivaluedMapUtils.getFirstValue(map, "client_id");
        if (str == null) {
            return null;
        }
        return new ClientID(str);
    }

    @Override // com.nimbusds.oauth2.sdk.auth.ClientAuthentication
    public void applyTo(HTTPRequest hTTPRequest) {
        if (hTTPRequest.getMethod() != HTTPRequest.Method.POST) {
            throw new SerializeException("The HTTP request method must be POST");
        }
        ContentType entityContentType = hTTPRequest.getEntityContentType();
        if (entityContentType == null) {
            throw new SerializeException("Missing HTTP Content-Type header");
        }
        ContentType contentType = ContentType.APPLICATION_URLENCODED;
        if (!entityContentType.matches(contentType)) {
            throw new SerializeException("The HTTP Content-Type header must be " + contentType);
        }
        Map<String, List<String>> queryParameters = hTTPRequest.getQueryParameters();
        queryParameters.putAll(toParameters());
        hTTPRequest.setQuery(URLUtils.serializeParameters(queryParameters));
    }

    public SignedJWT getClientAssertion() {
        return this.clientAssertion;
    }

    public JWTAuthenticationClaimsSet getJWTAuthenticationClaimsSet() {
        return this.jwtAuthClaimsSet;
    }

    public Map<String, List<String>> toParameters() {
        HashMap hashMap = new HashMap();
        try {
            hashMap.put("client_assertion", Collections.singletonList(this.clientAssertion.serialize()));
            hashMap.put("client_assertion_type", Collections.singletonList("urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
            return hashMap;
        } catch (IllegalStateException e) {
            throw new SerializeException("Couldn't serialize JWT to a client assertion string: " + e.getMessage(), e);
        }
    }
}
