package com.nimbusds.oauth2.sdk.assertions.jwt;

import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.util.CollectionUtils;
import java.util.Set;
import net.jcip.annotations.Immutable;

@Immutable
/* loaded from: input_file:BOOT-INF/lib/oauth2-oidc-sdk-7.1.1.jar:com/nimbusds/oauth2/sdk/assertions/jwt/JWTAssertionDetailsVerifier.class */
public class JWTAssertionDetailsVerifier extends DefaultJWTClaimsVerifier {
    private static final BadJWTException MISSING_EXP_CLAIM_EXCEPTION = new BadJWTException("Missing JWT expiration claim");
    private static final BadJWTException MISSING_AUD_CLAIM_EXCEPTION = new BadJWTException("Missing JWT audience claim");
    private static final BadJWTException MISSING_SUB_CLAIM_EXCEPTION = new BadJWTException("Missing JWT subject claim");
    private static final BadJWTException MISSING_ISS_CLAIM_EXCEPTION = new BadJWTException("Missing JWT issuer claim");
    private final Set<Audience> expectedAudience;

    public JWTAssertionDetailsVerifier(Set<Audience> set) {
        if (CollectionUtils.isEmpty(set)) {
            throw new IllegalArgumentException("The expected audience set must not be null or empty");
        }
        this.expectedAudience = set;
    }

    public Set<Audience> getExpectedAudience() {
        return this.expectedAudience;
    }

    @Override // com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier, com.nimbusds.jwt.proc.JWTClaimsSetVerifier
    public void verify(JWTClaimsSet jWTClaimsSet, SecurityContext securityContext) throws BadJWTException {
        super.verify(jWTClaimsSet, null);
        if (jWTClaimsSet.getExpirationTime() == null) {
            throw MISSING_EXP_CLAIM_EXCEPTION;
        }
        if (jWTClaimsSet.getAudience() == null || jWTClaimsSet.getAudience().isEmpty()) {
            throw MISSING_AUD_CLAIM_EXCEPTION;
        }
        boolean z = false;
        for (String str : jWTClaimsSet.getAudience()) {
            if (str != null && !str.isEmpty() && this.expectedAudience.contains(new Audience(str))) {
                z = true;
            }
        }
        if (!z) {
            throw new BadJWTException("Invalid JWT audience claim, expected " + this.expectedAudience);
        }
        if (jWTClaimsSet.getIssuer() == null) {
            throw MISSING_ISS_CLAIM_EXCEPTION;
        }
        if (jWTClaimsSet.getSubject() == null) {
            throw MISSING_SUB_CLAIM_EXCEPTION;
        }
    }
}
