package com.nimbusds.openid.connect.sdk.validators;

import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.JWTClaimsSetVerifier;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.util.JSONObjectUtils;
import com.nimbusds.openid.connect.sdk.claims.CommonClaimsSet;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.claims.LogoutTokenClaimsSet;
import java.text.ParseException;
import java.util.List;
import net.jcip.annotations.ThreadSafe;
import net.minidev.json.JSONObject;

@ThreadSafe
/* loaded from: input_file:com/nimbusds/openid/connect/sdk/validators/LogoutTokenClaimsVerifier.class */
public class LogoutTokenClaimsVerifier implements JWTClaimsSetVerifier {
    private final Issuer expectedIssuer;
    private final ClientID expectedClientID;

    public LogoutTokenClaimsVerifier(Issuer issuer, ClientID clientID) {
        if (issuer == null) {
            throw new IllegalArgumentException("The expected ID token issuer must not be null");
        }
        this.expectedIssuer = issuer;
        if (clientID == null) {
            throw new IllegalArgumentException("The client ID must not be null");
        }
        this.expectedClientID = clientID;
    }

    public Issuer getExpectedIssuer() {
        return this.expectedIssuer;
    }

    public ClientID getClientID() {
        return this.expectedClientID;
    }

    @Override // com.nimbusds.jwt.proc.JWTClaimsSetVerifier
    public void verify(JWTClaimsSet jWTClaimsSet, SecurityContext securityContext) throws BadJWTException {
        try {
            JSONObject jSONObjectClaim = jWTClaimsSet.getJSONObjectClaim(LogoutTokenClaimsSet.EVENTS_CLAIM_NAME);
            if (jSONObjectClaim == null) {
                throw new BadJWTException("Missing JWT events (events) claim");
            }
            if (JSONObjectUtils.getJSONObject(jSONObjectClaim, LogoutTokenClaimsSet.EVENT_TYPE) == null) {
                throw new BadJWTException("Invalid event type, required http://schemas.openid.net/event/backchannel-logout");
            }
            String issuer = jWTClaimsSet.getIssuer();
            if (issuer == null) {
                throw BadJWTExceptions.MISSING_ISS_CLAIM_EXCEPTION;
            }
            if (!getExpectedIssuer().getValue().equals(issuer)) {
                throw new BadJWTException("Unexpected JWT issuer: " + issuer);
            }
            List<String> audience = jWTClaimsSet.getAudience();
            if (audience == null || audience.isEmpty()) {
                throw BadJWTExceptions.MISSING_AUD_CLAIM_EXCEPTION;
            }
            if (!audience.contains(this.expectedClientID.getValue())) {
                throw new BadJWTException("Unexpected JWT audience: " + audience);
            }
            if (jWTClaimsSet.getIssueTime() == null) {
                throw BadJWTExceptions.MISSING_IAT_CLAIM_EXCEPTION;
            }
            if (jWTClaimsSet.getJWTID() == null) {
                throw new BadJWTException("Missing JWT ID (jti) claim");
            }
            try {
                if (jWTClaimsSet.getSubject() == null && jWTClaimsSet.getStringClaim(CommonClaimsSet.SID_CLAIM_NAME) == null) {
                    throw new BadJWTException("Missing subject (sub) and / or session ID (sid) claim(s)");
                }
                if (jWTClaimsSet.getClaim(IDTokenClaimsSet.NONCE_CLAIM_NAME) != null) {
                    throw new BadJWTException("Found illegal nonce (nonce) claim");
                }
            } catch (ParseException e) {
                throw new BadJWTException("Invalid session ID (sid) claim");
            }
        } catch (com.nimbusds.oauth2.sdk.ParseException | ParseException e2) {
            throw new BadJWTException("Invalid JWT events (events) claim");
        }
    }
}
