package com.okta.spring.boot.oauth;

import com.okta.spring.boot.oauth.config.OktaOAuth2Properties;
import java.util.Collection;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.AutoConfigureBefore;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcReactiveOAuth2UserService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
import org.springframework.security.oauth2.client.userinfo.ReactiveOAuth2UserService;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
import org.springframework.security.web.server.SecurityWebFilterChain;
import reactor.core.publisher.Flux;

@AutoConfigureBefore(name = {"org.springframework.boot.autoconfigure.security.oauth2.client.reactive.ReactiveOAuth2ClientAutoConfiguration", "org.springframework.boot.autoconfigure.security.oauth2.resource.reactive.ReactiveOAuth2ResourceServerAutoConfiguration"})
@EnableConfigurationProperties({OktaOAuth2Properties.class})
@ConditionalOnOktaClientProperties
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
@Import({AuthorityProvidersConfig.class})
@Configuration
@ConditionalOnClass({Flux.class, EnableWebFluxSecurity.class, ClientRegistration.class})
/* loaded from: input_file:com/okta/spring/boot/oauth/ReactiveOktaOAuth2AutoConfig.class */
class ReactiveOktaOAuth2AutoConfig {
    ReactiveOktaOAuth2AutoConfig() {
    }

    @ConditionalOnMissingBean
    @Bean
    ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService(Collection<AuthoritiesProvider> collection) {
        return new ReactiveOktaOAuth2UserService(collection);
    }

    @ConditionalOnMissingBean
    @Bean
    OidcReactiveOAuth2UserService oidcUserService(Collection<AuthoritiesProvider> collection, @Qualifier("oauth2UserService") ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> reactiveOAuth2UserService) {
        return new ReactiveOktaOidcUserService(collection, reactiveOAuth2UserService);
    }

    @ConditionalOnMissingBean({SecurityWebFilterChain.class})
    @ConditionalOnBean({ReactiveJwtDecoder.class})
    @Bean
    SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity serverHttpSecurity, ReactiveJwtDecoder reactiveJwtDecoder) {
        serverHttpSecurity.authorizeExchange().anyExchange().authenticated();
        serverHttpSecurity.oauth2Login();
        serverHttpSecurity.oauth2Client();
        serverHttpSecurity.oauth2ResourceServer(oAuth2ResourceServerSpec -> {
            customDecoder(oAuth2ResourceServerSpec, reactiveJwtDecoder);
        });
        return serverHttpSecurity.build();
    }

    private void customDecoder(ServerHttpSecurity.OAuth2ResourceServerSpec oAuth2ResourceServerSpec, ReactiveJwtDecoder reactiveJwtDecoder) {
        oAuth2ResourceServerSpec.jwt(jwtSpec -> {
            jwtSpec.jwtDecoder(reactiveJwtDecoder);
        });
    }
}
