package org.apache.cxf.rs.security.oauth2.grants.jwt;

import jakarta.ws.rs.core.MultivaluedMap;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;

/* loaded from: input_file:lib/cxf-shade-9.0.0.jar:org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerGrantHandler.class */
public class JwtBearerGrantHandler extends AbstractJwtHandler {
    private static final String ENCODED_JWT_BEARER_GRANT = HttpUtils.urlEncode(Constants.JWT_BEARER_GRANT, StandardCharsets.UTF_8.name());

    public JwtBearerGrantHandler() {
        super(Arrays.asList(Constants.JWT_BEARER_GRANT, ENCODED_JWT_BEARER_GRANT));
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.AccessTokenGrantHandler
    public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> multivaluedMap) throws OAuthServiceException {
        String first = multivaluedMap.getFirst(Constants.CLIENT_GRANT_ASSERTION_PARAM);
        if (first == null) {
            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
        }
        try {
            JwsJwtCompactConsumer jwsReader = getJwsReader(first);
            JwtToken jwtToken = jwsReader.getJwtToken();
            validateSignature(new JwsHeaders(jwtToken.getJwsHeaders()), jwsReader.getUnsignedEncodedSequence(), jwsReader.getDecodedSignature());
            validateClaims(client, jwtToken.getClaims());
            return doCreateAccessToken(client, new UserSubject(jwtToken.getClaims().getSubject()), Constants.JWT_BEARER_GRANT, OAuthUtils.parseScope(multivaluedMap.getFirst("scope")));
        } catch (OAuthServiceException e) {
            throw e;
        } catch (Exception e2) {
            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT, e2);
        }
    }

    protected JwsJwtCompactConsumer getJwsReader(String str) {
        return new JwsJwtCompactConsumer(str);
    }
}
