package org.apache.cxf.rs.security.oidc.rp;

import java.util.Map;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.client.OAuthClientUtils;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.rs.security.oidc.common.IdToken;
import org.apache.cxf.rs.security.oidc.common.UserInfo;

/* loaded from: input_file:org/apache/cxf/rs/security/oidc/rp/UserInfoClient.class */
public class UserInfoClient extends IdTokenReader {
    private boolean encryptedOnly;
    private WebClient profileClient;

    public UserInfo getUserInfo(ClientAccessToken clientAccessToken, IdToken idToken) {
        return getUserInfo(clientAccessToken, idToken, false);
    }

    public UserInfo getUserInfo(ClientAccessToken clientAccessToken, IdToken idToken, boolean z) {
        OAuthClientUtils.setAuthorizationHeader(this.profileClient, clientAccessToken);
        if (z) {
            return getUserInfoFromJwt((String) this.profileClient.get(String.class), idToken);
        }
        UserInfo userInfo = (UserInfo) this.profileClient.get(UserInfo.class);
        validateUserInfo(userInfo, idToken);
        return userInfo;
    }

    public UserInfo getUserInfoFromJwt(String str, IdToken idToken) {
        return getUserInfoFromJwt(getUserInfoJwt(str), idToken);
    }

    public UserInfo getUserInfoFromJwt(JwtToken jwtToken, IdToken idToken) {
        UserInfo userInfo = new UserInfo((Map<String, Object>) jwtToken.getClaims().asMap());
        validateUserInfo(userInfo, idToken);
        return userInfo;
    }

    public JwtToken getUserInfoJwt(String str) {
        return getJwtToken(str, this.encryptedOnly);
    }

    public void validateUserInfo(UserInfo userInfo, IdToken idToken) {
        validateJwtClaims(userInfo, idToken.getAudience(), false);
        if (!idToken.getSubject().equals(userInfo.getSubject())) {
            throw new SecurityException("Invalid subject");
        }
    }

    public void setEncryptedOnly(boolean z) {
        this.encryptedOnly = z;
    }

    public void setUserInfoServiceClient(WebClient webClient) {
        this.profileClient = webClient;
    }
}
