package org.apereo.cas.oidc.authn;

import java.util.Optional;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.authenticator.OAuth20AccessTokenAuthenticator;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.ticket.OAuth20TokenSigningAndEncryptionService;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.token.JwtBuilder;
import org.apereo.cas.util.LoggingUtils;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.credentials.TokenCredentials;
import org.pac4j.core.profile.CommonProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oidc-core-api-6.6.15.jar:org/apereo/cas/oidc/authn/OidcAccessTokenAuthenticator.class */
public class OidcAccessTokenAuthenticator extends OAuth20AccessTokenAuthenticator {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OidcAccessTokenAuthenticator.class);
    private final OAuth20TokenSigningAndEncryptionService idTokenSigningAndEncryptionService;
    private final ServicesManager servicesManager;

    public OidcAccessTokenAuthenticator(TicketRegistry ticketRegistry, OAuth20TokenSigningAndEncryptionService oAuth20TokenSigningAndEncryptionService, ServicesManager servicesManager, JwtBuilder jwtBuilder) {
        super(ticketRegistry, jwtBuilder);
        this.idTokenSigningAndEncryptionService = oAuth20TokenSigningAndEncryptionService;
        this.servicesManager = servicesManager;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apereo.cas.support.oauth.authenticator.OAuth20AccessTokenAuthenticator
    public CommonProfile buildUserProfile(TokenCredentials tokenCredentials, WebContext webContext, OAuth20AccessToken oAuth20AccessToken) {
        try {
            CommonProfile buildUserProfile = super.buildUserProfile(tokenCredentials, webContext, oAuth20AccessToken);
            validateIdTokenIfAny(oAuth20AccessToken, buildUserProfile);
            return buildUserProfile;
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            return null;
        }
    }

    protected void validateIdTokenIfAny(OAuth20AccessToken oAuth20AccessToken, CommonProfile commonProfile) throws MalformedClaimException {
        if (StringUtils.isNotBlank(oAuth20AccessToken.getIdToken())) {
            JwtClaims decode = this.idTokenSigningAndEncryptionService.decode(oAuth20AccessToken.getIdToken(), Optional.ofNullable(OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, oAuth20AccessToken.getClientId())));
            commonProfile.setId(decode.getSubject());
            commonProfile.addAttributes(decode.getClaimsMap());
        }
    }
}
