package org.springframework.security.oauth2.server.authorization.authentication;

import java.security.Principal;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClaimAccessor;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.security.oauth2.core.OAuth2TokenType;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.context.ProviderContextHolder;
import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.util.Assert;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProvider.class */
public final class OAuth2RefreshTokenAuthenticationProvider implements AuthenticationProvider {
    private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2";
    private static final OAuth2TokenType ID_TOKEN_TOKEN_TYPE = new OAuth2TokenType("id_token");
    private final OAuth2AuthorizationService authorizationService;
    private final OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator;

    public OAuth2RefreshTokenAuthenticationProvider(OAuth2AuthorizationService oAuth2AuthorizationService, OAuth2TokenGenerator<? extends OAuth2Token> oAuth2TokenGenerator) {
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        Assert.notNull(oAuth2TokenGenerator, "tokenGenerator cannot be null");
        this.authorizationService = oAuth2AuthorizationService;
        this.tokenGenerator = oAuth2TokenGenerator;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OidcIdToken oidcIdToken;
        Authentication authentication2 = (OAuth2RefreshTokenAuthenticationToken) authentication;
        OAuth2ClientAuthenticationToken authenticatedClientElseThrowInvalidClient = OAuth2AuthenticationProviderUtils.getAuthenticatedClientElseThrowInvalidClient(authentication2);
        RegisteredClient registeredClient = authenticatedClientElseThrowInvalidClient.getRegisteredClient();
        OAuth2Authorization findByToken = this.authorizationService.findByToken(authentication2.getRefreshToken(), OAuth2TokenType.REFRESH_TOKEN);
        if (findByToken == null) {
            throw new OAuth2AuthenticationException("invalid_grant");
        }
        if (!registeredClient.getId().equals(findByToken.getRegisteredClientId())) {
            throw new OAuth2AuthenticationException("invalid_client");
        }
        if (!registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) {
            throw new OAuth2AuthenticationException("unauthorized_client");
        }
        OAuth2Authorization.Token<OAuth2RefreshToken> refreshToken = findByToken.getRefreshToken();
        if (!refreshToken.isActive()) {
            throw new OAuth2AuthenticationException("invalid_grant");
        }
        Set scopes = authentication2.getScopes();
        Set set = (Set) findByToken.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME);
        if (!set.containsAll(scopes)) {
            throw new OAuth2AuthenticationException("invalid_scope");
        }
        if (scopes.isEmpty()) {
            scopes = set;
        }
        DefaultOAuth2TokenContext.Builder authorizationGrant = DefaultOAuth2TokenContext.builder().registeredClient(registeredClient).principal((Authentication) findByToken.getAttribute(Principal.class.getName())).providerContext(ProviderContextHolder.getProviderContext()).authorization(findByToken).authorizedScopes(scopes).authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN).authorizationGrant(authentication2);
        OAuth2Authorization.Builder from = OAuth2Authorization.from(findByToken);
        DefaultOAuth2TokenContext build = authorizationGrant.tokenType(OAuth2TokenType.ACCESS_TOKEN).build();
        OAuth2Token generate = this.tokenGenerator.generate(build);
        if (generate == null) {
            throw new OAuth2AuthenticationException(new OAuth2Error("server_error", "The token generator failed to generate the access token.", ERROR_URI));
        }
        OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, generate.getTokenValue(), generate.getIssuedAt(), generate.getExpiresAt(), build.getAuthorizedScopes());
        if (generate instanceof ClaimAccessor) {
            from.token(oAuth2AccessToken, map -> {
                map.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, ((ClaimAccessor) generate).getClaims());
                map.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, false);
            });
        } else {
            from.accessToken(oAuth2AccessToken);
        }
        OAuth2RefreshToken token = refreshToken.getToken();
        if (!registeredClient.getTokenSettings().isReuseRefreshTokens()) {
            OAuth2Token generate2 = this.tokenGenerator.generate(authorizationGrant.tokenType(OAuth2TokenType.REFRESH_TOKEN).build());
            if (!(generate2 instanceof OAuth2RefreshToken)) {
                throw new OAuth2AuthenticationException(new OAuth2Error("server_error", "The token generator failed to generate the refresh token.", ERROR_URI));
            }
            token = (OAuth2RefreshToken) generate2;
            from.refreshToken(token);
        }
        if (set.contains("openid")) {
            Jwt generate3 = this.tokenGenerator.generate(authorizationGrant.tokenType(ID_TOKEN_TOKEN_TYPE).build());
            if (!(generate3 instanceof Jwt)) {
                throw new OAuth2AuthenticationException(new OAuth2Error("server_error", "The token generator failed to generate the ID token.", ERROR_URI));
            }
            oidcIdToken = new OidcIdToken(generate3.getTokenValue(), generate3.getIssuedAt(), generate3.getExpiresAt(), generate3.getClaims());
            from.token(oidcIdToken, map2 -> {
                map2.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, oidcIdToken.getClaims());
            });
        } else {
            oidcIdToken = null;
        }
        this.authorizationService.save(from.build());
        Map emptyMap = Collections.emptyMap();
        if (oidcIdToken != null) {
            emptyMap = new HashMap();
            emptyMap.put("id_token", oidcIdToken.getTokenValue());
        }
        return new OAuth2AccessTokenAuthenticationToken(registeredClient, authenticatedClientElseThrowInvalidClient, oAuth2AccessToken, token, emptyMap);
    }

    public boolean supports(Class<?> cls) {
        return OAuth2RefreshTokenAuthenticationToken.class.isAssignableFrom(cls);
    }
}
