package io.camunda.authentication.config;

import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;

/* loaded from: input_file:io/camunda/authentication/config/AudienceValidator.class */
final class AudienceValidator implements OAuth2TokenValidator<Jwt> {
    private static final Logger LOG = LoggerFactory.getLogger(AudienceValidator.class);
    private final Set<String> validAudiences;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AudienceValidator(Set<String> set) {
        if (set.isEmpty()) {
            throw new IllegalArgumentException("At least one valid audience must be provided");
        }
        this.validAudiences = Set.copyOf(set);
    }

    public OAuth2TokenValidatorResult validate(Jwt jwt) {
        List audience = jwt.getAudience();
        Iterator it = audience.iterator();
        while (it.hasNext()) {
            if (this.validAudiences.contains((String) it.next())) {
                return OAuth2TokenValidatorResult.success();
            }
        }
        LOG.debug("Rejected token with audiences '{}', expected at least one of '{}'", audience, this.validAudiences);
        return OAuth2TokenValidatorResult.failure(new OAuth2Error[]{new OAuth2Error("invalid_token", "Token audiences are %s, expected at least one of %s".formatted(audience, this.validAudiences), (String) null)});
    }
}
