package org.springframework.security.oauth2.server.authorization.authentication;

import java.security.Principal;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Objects;
import java.util.Set;
import java.util.function.Consumer;
import java.util.function.Function;
import org.springframework.lang.Nullable;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
import org.springframework.security.crypto.keygen.StringKeyGenerator;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AuthorizationCode;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenType;
import org.springframework.security.oauth2.core.authentication.OAuth2AuthenticationContext;
import org.springframework.security.oauth2.core.authentication.OAuth2AuthenticationValidator;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.core.oidc.OidcClientMetadataClaimNames;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.context.ProviderContextHolder;
import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.class */
public final class OAuth2AuthorizationCodeRequestAuthenticationProvider implements AuthenticationProvider {
    private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1";
    private static final String PKCE_ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc7636#section-4.4.1";
    private static final OAuth2TokenType STATE_TOKEN_TYPE = new OAuth2TokenType("state");
    private static final StringKeyGenerator DEFAULT_STATE_GENERATOR = new Base64StringKeyGenerator(Base64.getUrlEncoder());
    private static final Function<String, OAuth2AuthenticationValidator> DEFAULT_AUTHENTICATION_VALIDATOR_RESOLVER = createDefaultAuthenticationValidatorResolver();
    private final RegisteredClientRepository registeredClientRepository;
    private final OAuth2AuthorizationService authorizationService;
    private final OAuth2AuthorizationConsentService authorizationConsentService;
    private OAuth2TokenGenerator<OAuth2AuthorizationCode> authorizationCodeGenerator = new OAuth2AuthorizationCodeGenerator();
    private Function<String, OAuth2AuthenticationValidator> authenticationValidatorResolver = DEFAULT_AUTHENTICATION_VALIDATOR_RESOLVER;
    private Consumer<OAuth2AuthorizationConsentAuthenticationContext> authorizationConsentCustomizer;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider$DefaultRedirectUriOAuth2AuthenticationValidator.class */
    public static class DefaultRedirectUriOAuth2AuthenticationValidator implements OAuth2AuthenticationValidator {
        private DefaultRedirectUriOAuth2AuthenticationValidator() {
        }

        @Override // org.springframework.security.oauth2.core.authentication.OAuth2AuthenticationValidator
        public void validate(OAuth2AuthenticationContext oAuth2AuthenticationContext) {
            OAuth2AuthorizationCodeRequestAuthenticationToken authentication = oAuth2AuthenticationContext.getAuthentication();
            RegisteredClient registeredClient = (RegisteredClient) oAuth2AuthenticationContext.get(RegisteredClient.class);
            if (StringUtils.hasText(authentication.getRedirectUri())) {
                if (OAuth2AuthorizationCodeRequestAuthenticationProvider.isValidRedirectUri(authentication.getRedirectUri(), registeredClient)) {
                    return;
                }
                OAuth2AuthorizationCodeRequestAuthenticationProvider.throwError("invalid_request", "redirect_uri", authentication, registeredClient);
            } else if (authentication.getScopes().contains("openid") || registeredClient.getRedirectUris().size() != 1) {
                OAuth2AuthorizationCodeRequestAuthenticationProvider.throwError("invalid_request", "redirect_uri", authentication, registeredClient);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider$DefaultScopeOAuth2AuthenticationValidator.class */
    public static class DefaultScopeOAuth2AuthenticationValidator implements OAuth2AuthenticationValidator {
        private DefaultScopeOAuth2AuthenticationValidator() {
        }

        @Override // org.springframework.security.oauth2.core.authentication.OAuth2AuthenticationValidator
        public void validate(OAuth2AuthenticationContext oAuth2AuthenticationContext) {
            OAuth2AuthorizationCodeRequestAuthenticationToken authentication = oAuth2AuthenticationContext.getAuthentication();
            RegisteredClient registeredClient = (RegisteredClient) oAuth2AuthenticationContext.get(RegisteredClient.class);
            Set<String> scopes = authentication.getScopes();
            Set<String> scopes2 = registeredClient.getScopes();
            if (scopes.isEmpty() || scopes2.containsAll(scopes)) {
                return;
            }
            OAuth2AuthorizationCodeRequestAuthenticationProvider.throwError("invalid_scope", OidcClientMetadataClaimNames.SCOPE, authentication, registeredClient);
        }
    }

    /* loaded from: input_file:org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider$OAuth2AuthorizationCodeGenerator.class */
    private static class OAuth2AuthorizationCodeGenerator implements OAuth2TokenGenerator<OAuth2AuthorizationCode> {
        private final StringKeyGenerator authorizationCodeGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);

        private OAuth2AuthorizationCodeGenerator() {
        }

        @Override // org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator
        @Nullable
        public OAuth2AuthorizationCode generate(OAuth2TokenContext oAuth2TokenContext) {
            if (oAuth2TokenContext.getTokenType() == null || !"code".equals(oAuth2TokenContext.getTokenType().getValue())) {
                return null;
            }
            Instant now = Instant.now();
            return new OAuth2AuthorizationCode(this.authorizationCodeGenerator.generateKey(), now, now.plus(5L, (TemporalUnit) ChronoUnit.MINUTES));
        }
    }

    public OAuth2AuthorizationCodeRequestAuthenticationProvider(RegisteredClientRepository registeredClientRepository, OAuth2AuthorizationService oAuth2AuthorizationService, OAuth2AuthorizationConsentService oAuth2AuthorizationConsentService) {
        Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null");
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        Assert.notNull(oAuth2AuthorizationConsentService, "authorizationConsentService cannot be null");
        this.registeredClientRepository = registeredClientRepository;
        this.authorizationService = oAuth2AuthorizationService;
        this.authorizationConsentService = oAuth2AuthorizationConsentService;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        return ((OAuth2AuthorizationCodeRequestAuthenticationToken) authentication).isConsent() ? authenticateAuthorizationConsent(authentication) : authenticateAuthorizationRequest(authentication);
    }

    public boolean supports(Class<?> cls) {
        return OAuth2AuthorizationCodeRequestAuthenticationToken.class.isAssignableFrom(cls);
    }

    public void setAuthorizationCodeGenerator(OAuth2TokenGenerator<OAuth2AuthorizationCode> oAuth2TokenGenerator) {
        Assert.notNull(oAuth2TokenGenerator, "authorizationCodeGenerator cannot be null");
        this.authorizationCodeGenerator = oAuth2TokenGenerator;
    }

    public void setAuthenticationValidatorResolver(Function<String, OAuth2AuthenticationValidator> function) {
        Assert.notNull(function, "authenticationValidatorResolver cannot be null");
        this.authenticationValidatorResolver = function;
    }

    public void setAuthorizationConsentCustomizer(Consumer<OAuth2AuthorizationConsentAuthenticationContext> consumer) {
        Assert.notNull(consumer, "authorizationConsentCustomizer cannot be null");
        this.authorizationConsentCustomizer = consumer;
    }

    private Authentication authenticateAuthorizationRequest(Authentication authentication) throws AuthenticationException {
        OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken = (OAuth2AuthorizationCodeRequestAuthenticationToken) authentication;
        RegisteredClient findByClientId = this.registeredClientRepository.findByClientId(oAuth2AuthorizationCodeRequestAuthenticationToken.getClientId());
        if (findByClientId == null) {
            throwError("invalid_request", OidcClientMetadataClaimNames.CLIENT_ID, oAuth2AuthorizationCodeRequestAuthenticationToken, null);
        }
        HashMap hashMap = new HashMap();
        hashMap.put(RegisteredClient.class, findByClientId);
        OAuth2AuthenticationContext oAuth2AuthenticationContext = new OAuth2AuthenticationContext(oAuth2AuthorizationCodeRequestAuthenticationToken, hashMap);
        resolveAuthenticationValidator("redirect_uri").validate(oAuth2AuthenticationContext);
        if (!findByClientId.getAuthorizationGrantTypes().contains(AuthorizationGrantType.AUTHORIZATION_CODE)) {
            throwError("unauthorized_client", OidcClientMetadataClaimNames.CLIENT_ID, oAuth2AuthorizationCodeRequestAuthenticationToken, findByClientId);
        }
        resolveAuthenticationValidator(OidcClientMetadataClaimNames.SCOPE).validate(oAuth2AuthenticationContext);
        if (StringUtils.hasText((String) oAuth2AuthorizationCodeRequestAuthenticationToken.getAdditionalParameters().get("code_challenge"))) {
            String str = (String) oAuth2AuthorizationCodeRequestAuthenticationToken.getAdditionalParameters().get("code_challenge_method");
            if (StringUtils.hasText(str) && !"S256".equals(str)) {
                throwError("invalid_request", "code_challenge_method", PKCE_ERROR_URI, oAuth2AuthorizationCodeRequestAuthenticationToken, findByClientId, null);
            }
        } else if (findByClientId.getClientSettings().isRequireProofKey()) {
            throwError("invalid_request", "code_challenge", PKCE_ERROR_URI, oAuth2AuthorizationCodeRequestAuthenticationToken, findByClientId, null);
        }
        Authentication authentication2 = (Authentication) oAuth2AuthorizationCodeRequestAuthenticationToken.getPrincipal();
        if (!isPrincipalAuthenticated(authentication2)) {
            return oAuth2AuthorizationCodeRequestAuthenticationToken;
        }
        OAuth2AuthorizationRequest build = OAuth2AuthorizationRequest.authorizationCode().authorizationUri(oAuth2AuthorizationCodeRequestAuthenticationToken.getAuthorizationUri()).clientId(findByClientId.getClientId()).redirectUri(oAuth2AuthorizationCodeRequestAuthenticationToken.getRedirectUri()).scopes(oAuth2AuthorizationCodeRequestAuthenticationToken.getScopes()).state(oAuth2AuthorizationCodeRequestAuthenticationToken.getState()).additionalParameters(oAuth2AuthorizationCodeRequestAuthenticationToken.getAdditionalParameters()).build();
        OAuth2AuthorizationConsent findById = this.authorizationConsentService.findById(findByClientId.getId(), authentication2.getName());
        if (requireAuthorizationConsent(findByClientId, build, findById)) {
            String generateKey = DEFAULT_STATE_GENERATOR.generateKey();
            this.authorizationService.save(authorizationBuilder(findByClientId, authentication2, build).attribute("state", generateKey).build());
            return OAuth2AuthorizationCodeRequestAuthenticationToken.with(findByClientId.getClientId(), authentication2).authorizationUri(build.getAuthorizationUri()).scopes(findById != null ? findById.getScopes() : null).state(generateKey).consentRequired(true).build();
        }
        OAuth2AuthorizationCode generate = this.authorizationCodeGenerator.generate(createAuthorizationCodeTokenContext(oAuth2AuthorizationCodeRequestAuthenticationToken, findByClientId, null, build.getScopes()));
        if (generate == null) {
            throw new OAuth2AuthorizationCodeRequestAuthenticationException(new OAuth2Error("server_error", "The token generator failed to generate the authorization code.", ERROR_URI), null);
        }
        this.authorizationService.save(authorizationBuilder(findByClientId, authentication2, build).token(generate).attribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME, build.getScopes()).build());
        String redirectUri = build.getRedirectUri();
        if (!StringUtils.hasText(redirectUri)) {
            redirectUri = findByClientId.getRedirectUris().iterator().next();
        }
        return OAuth2AuthorizationCodeRequestAuthenticationToken.with(findByClientId.getClientId(), authentication2).authorizationUri(build.getAuthorizationUri()).redirectUri(redirectUri).scopes(build.getScopes()).state(build.getState()).authorizationCode(generate).build();
    }

    private OAuth2AuthenticationValidator resolveAuthenticationValidator(String str) {
        OAuth2AuthenticationValidator apply = this.authenticationValidatorResolver.apply(str);
        return apply != null ? apply : DEFAULT_AUTHENTICATION_VALIDATOR_RESOLVER.apply(str);
    }

    private Authentication authenticateAuthorizationConsent(Authentication authentication) throws AuthenticationException {
        OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken = (OAuth2AuthorizationCodeRequestAuthenticationToken) authentication;
        OAuth2Authorization findByToken = this.authorizationService.findByToken(oAuth2AuthorizationCodeRequestAuthenticationToken.getState(), STATE_TOKEN_TYPE);
        if (findByToken == null) {
            throwError("invalid_request", "state", oAuth2AuthorizationCodeRequestAuthenticationToken, null, null);
        }
        Authentication authentication2 = (Authentication) oAuth2AuthorizationCodeRequestAuthenticationToken.getPrincipal();
        if (!isPrincipalAuthenticated(authentication2) || !authentication2.getName().equals(findByToken.getPrincipalName())) {
            throwError("invalid_request", "state", oAuth2AuthorizationCodeRequestAuthenticationToken, null, null);
        }
        RegisteredClient findByClientId = this.registeredClientRepository.findByClientId(oAuth2AuthorizationCodeRequestAuthenticationToken.getClientId());
        if (findByClientId == null || !findByClientId.getId().equals(findByToken.getRegisteredClientId())) {
            throwError("invalid_request", OidcClientMetadataClaimNames.CLIENT_ID, oAuth2AuthorizationCodeRequestAuthenticationToken, findByClientId);
        }
        OAuth2AuthorizationRequest oAuth2AuthorizationRequest = (OAuth2AuthorizationRequest) findByToken.getAttribute(OAuth2AuthorizationRequest.class.getName());
        Set<String> scopes = oAuth2AuthorizationRequest.getScopes();
        HashSet hashSet = new HashSet(oAuth2AuthorizationCodeRequestAuthenticationToken.getScopes());
        if (!scopes.containsAll(hashSet)) {
            throwError("invalid_scope", OidcClientMetadataClaimNames.SCOPE, oAuth2AuthorizationCodeRequestAuthenticationToken, findByClientId, oAuth2AuthorizationRequest);
        }
        OAuth2AuthorizationConsent findById = this.authorizationConsentService.findById(findByToken.getRegisteredClientId(), findByToken.getPrincipalName());
        Set<String> scopes2 = findById != null ? findById.getScopes() : Collections.emptySet();
        if (!scopes2.isEmpty()) {
            for (String str : scopes) {
                if (scopes2.contains(str)) {
                    hashSet.add(str);
                }
            }
        }
        if (!hashSet.isEmpty() && scopes.contains("openid")) {
            hashSet.add("openid");
        }
        OAuth2AuthorizationConsent.Builder from = findById != null ? OAuth2AuthorizationConsent.from(findById) : OAuth2AuthorizationConsent.withId(findByToken.getRegisteredClientId(), findByToken.getPrincipalName());
        OAuth2AuthorizationConsent.Builder builder = from;
        Objects.requireNonNull(builder);
        hashSet.forEach(builder::scope);
        if (this.authorizationConsentCustomizer != null) {
            this.authorizationConsentCustomizer.accept(OAuth2AuthorizationConsentAuthenticationContext.with(oAuth2AuthorizationCodeRequestAuthenticationToken).authorizationConsent(from).registeredClient(findByClientId).authorization(findByToken).authorizationRequest(oAuth2AuthorizationRequest).build());
        }
        HashSet hashSet2 = new HashSet();
        Objects.requireNonNull(hashSet2);
        from.authorities((v1) -> {
            r1.addAll(v1);
        });
        if (hashSet2.isEmpty()) {
            if (findById != null) {
                this.authorizationConsentService.remove(findById);
            }
            this.authorizationService.remove(findByToken);
            throwError("access_denied", OidcClientMetadataClaimNames.CLIENT_ID, oAuth2AuthorizationCodeRequestAuthenticationToken, findByClientId, oAuth2AuthorizationRequest);
        }
        OAuth2AuthorizationConsent build = from.build();
        if (!build.equals(findById)) {
            this.authorizationConsentService.save(build);
        }
        OAuth2AuthorizationCode generate = this.authorizationCodeGenerator.generate(createAuthorizationCodeTokenContext(oAuth2AuthorizationCodeRequestAuthenticationToken, findByClientId, findByToken, hashSet));
        if (generate == null) {
            throw new OAuth2AuthorizationCodeRequestAuthenticationException(new OAuth2Error("server_error", "The token generator failed to generate the authorization code.", ERROR_URI), null);
        }
        this.authorizationService.save(OAuth2Authorization.from(findByToken).token(generate).attributes(map -> {
            map.remove("state");
            map.put(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME, hashSet);
        }).build());
        String redirectUri = oAuth2AuthorizationRequest.getRedirectUri();
        if (!StringUtils.hasText(redirectUri)) {
            redirectUri = findByClientId.getRedirectUris().iterator().next();
        }
        return OAuth2AuthorizationCodeRequestAuthenticationToken.with(findByClientId.getClientId(), authentication2).authorizationUri(oAuth2AuthorizationRequest.getAuthorizationUri()).redirectUri(redirectUri).scopes(hashSet).state(oAuth2AuthorizationRequest.getState()).authorizationCode(generate).build();
    }

    private static Function<String, OAuth2AuthenticationValidator> createDefaultAuthenticationValidatorResolver() {
        HashMap hashMap = new HashMap();
        hashMap.put("redirect_uri", new DefaultRedirectUriOAuth2AuthenticationValidator());
        hashMap.put(OidcClientMetadataClaimNames.SCOPE, new DefaultScopeOAuth2AuthenticationValidator());
        Objects.requireNonNull(hashMap);
        return (v1) -> {
            return r0.get(v1);
        };
    }

    private static OAuth2Authorization.Builder authorizationBuilder(RegisteredClient registeredClient, Authentication authentication, OAuth2AuthorizationRequest oAuth2AuthorizationRequest) {
        return OAuth2Authorization.withRegisteredClient(registeredClient).principalName(authentication.getName()).authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE).attribute(Principal.class.getName(), authentication).attribute(OAuth2AuthorizationRequest.class.getName(), oAuth2AuthorizationRequest);
    }

    private static OAuth2TokenContext createAuthorizationCodeTokenContext(OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken, RegisteredClient registeredClient, OAuth2Authorization oAuth2Authorization, Set<String> set) {
        DefaultOAuth2TokenContext.Builder authorizationGrant = DefaultOAuth2TokenContext.builder().registeredClient(registeredClient).principal((Authentication) oAuth2AuthorizationCodeRequestAuthenticationToken.getPrincipal()).providerContext(ProviderContextHolder.getProviderContext()).tokenType(new OAuth2TokenType("code")).authorizedScopes(set).authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE).authorizationGrant(oAuth2AuthorizationCodeRequestAuthenticationToken);
        if (oAuth2Authorization != null) {
            authorizationGrant.authorization(oAuth2Authorization);
        }
        return authorizationGrant.build();
    }

    private static boolean requireAuthorizationConsent(RegisteredClient registeredClient, OAuth2AuthorizationRequest oAuth2AuthorizationRequest, OAuth2AuthorizationConsent oAuth2AuthorizationConsent) {
        if (!registeredClient.getClientSettings().isRequireAuthorizationConsent()) {
            return false;
        }
        if (oAuth2AuthorizationRequest.getScopes().contains("openid") && oAuth2AuthorizationRequest.getScopes().size() == 1) {
            return false;
        }
        return oAuth2AuthorizationConsent == null || !oAuth2AuthorizationConsent.getScopes().containsAll(oAuth2AuthorizationRequest.getScopes());
    }

    private static boolean isValidRedirectUri(String str, RegisteredClient registeredClient) {
        String host;
        try {
            UriComponents build = UriComponentsBuilder.fromUriString(str).build();
            if (build.getFragment() != null || (host = build.getHost()) == null || host.equals("localhost")) {
                return false;
            }
            if (!isLoopbackAddress(host)) {
                return registeredClient.getRedirectUris().contains(str);
            }
            Iterator<String> it = registeredClient.getRedirectUris().iterator();
            while (it.hasNext()) {
                UriComponentsBuilder fromUriString = UriComponentsBuilder.fromUriString(it.next());
                fromUriString.port(build.getPort());
                if (fromUriString.build().toString().equals(build.toString())) {
                    return true;
                }
            }
            return false;
        } catch (Exception e) {
            return false;
        }
    }

    private static boolean isLoopbackAddress(String str) {
        if ("[0:0:0:0:0:0:0:1]".equals(str) || "[::1]".equals(str)) {
            return true;
        }
        String[] split = str.split("\\.");
        if (split.length != 4) {
            return false;
        }
        try {
            int[] iArr = new int[split.length];
            for (int i = 0; i < split.length; i++) {
                iArr[i] = Integer.parseInt(split[i]);
            }
            if (iArr[0] == 127 && iArr[1] >= 0 && iArr[1] <= 255 && iArr[2] >= 0 && iArr[2] <= 255 && iArr[3] >= 1) {
                if (iArr[3] <= 255) {
                    return true;
                }
            }
            return false;
        } catch (NumberFormatException e) {
            return false;
        }
    }

    private static boolean isPrincipalAuthenticated(Authentication authentication) {
        return (authentication == null || AnonymousAuthenticationToken.class.isAssignableFrom(authentication.getClass()) || !authentication.isAuthenticated()) ? false : true;
    }

    private static void throwError(String str, String str2, OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken, RegisteredClient registeredClient) {
        throwError(str, str2, oAuth2AuthorizationCodeRequestAuthenticationToken, registeredClient, null);
    }

    private static void throwError(String str, String str2, OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken, RegisteredClient registeredClient, OAuth2AuthorizationRequest oAuth2AuthorizationRequest) {
        throwError(str, str2, ERROR_URI, oAuth2AuthorizationCodeRequestAuthenticationToken, registeredClient, oAuth2AuthorizationRequest);
    }

    private static void throwError(String str, String str2, String str3, OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken, RegisteredClient registeredClient, OAuth2AuthorizationRequest oAuth2AuthorizationRequest) {
        boolean z = true;
        if (str.equals("invalid_request") && (str2.equals(OidcClientMetadataClaimNames.CLIENT_ID) || str2.equals("redirect_uri") || str2.equals("state"))) {
            z = false;
        }
        OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken2 = oAuth2AuthorizationCodeRequestAuthenticationToken;
        if (z && !StringUtils.hasText(oAuth2AuthorizationCodeRequestAuthenticationToken.getRedirectUri())) {
            oAuth2AuthorizationCodeRequestAuthenticationToken2 = from(oAuth2AuthorizationCodeRequestAuthenticationToken).redirectUri(resolveRedirectUri(oAuth2AuthorizationRequest, registeredClient)).state((!oAuth2AuthorizationCodeRequestAuthenticationToken.isConsent() || oAuth2AuthorizationRequest == null) ? oAuth2AuthorizationCodeRequestAuthenticationToken.getState() : oAuth2AuthorizationRequest.getState()).build();
            oAuth2AuthorizationCodeRequestAuthenticationToken2.setAuthenticated(oAuth2AuthorizationCodeRequestAuthenticationToken.isAuthenticated());
        } else if (!z && StringUtils.hasText(oAuth2AuthorizationCodeRequestAuthenticationToken.getRedirectUri())) {
            oAuth2AuthorizationCodeRequestAuthenticationToken2 = from(oAuth2AuthorizationCodeRequestAuthenticationToken).redirectUri(null).build();
            oAuth2AuthorizationCodeRequestAuthenticationToken2.setAuthenticated(oAuth2AuthorizationCodeRequestAuthenticationToken.isAuthenticated());
        }
        throw new OAuth2AuthorizationCodeRequestAuthenticationException(new OAuth2Error(str, "OAuth 2.0 Parameter: " + str2, str3), oAuth2AuthorizationCodeRequestAuthenticationToken2);
    }

    private static String resolveRedirectUri(OAuth2AuthorizationRequest oAuth2AuthorizationRequest, RegisteredClient registeredClient) {
        if (oAuth2AuthorizationRequest != null && StringUtils.hasText(oAuth2AuthorizationRequest.getRedirectUri())) {
            return oAuth2AuthorizationRequest.getRedirectUri();
        }
        if (registeredClient != null) {
            return registeredClient.getRedirectUris().iterator().next();
        }
        return null;
    }

    private static OAuth2AuthorizationCodeRequestAuthenticationToken.Builder from(OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken) {
        return OAuth2AuthorizationCodeRequestAuthenticationToken.with(oAuth2AuthorizationCodeRequestAuthenticationToken.getClientId(), (Authentication) oAuth2AuthorizationCodeRequestAuthenticationToken.getPrincipal()).authorizationUri(oAuth2AuthorizationCodeRequestAuthenticationToken.getAuthorizationUri()).redirectUri(oAuth2AuthorizationCodeRequestAuthenticationToken.getRedirectUri()).scopes(oAuth2AuthorizationCodeRequestAuthenticationToken.getScopes()).state(oAuth2AuthorizationCodeRequestAuthenticationToken.getState()).additionalParameters(oAuth2AuthorizationCodeRequestAuthenticationToken.getAdditionalParameters()).authorizationCode(oAuth2AuthorizationCodeRequestAuthenticationToken.getAuthorizationCode());
    }
}
