package com.okta.oidc;

import android.net.Uri;
import android.text.TextUtils;
import android.util.Base64;
import com.google.gson.e;
import com.google.gson.f;
import com.google.gson.r;
import com.google.gson.s;
import com.google.gson.stream.JsonToken;
import com.google.gson.stream.b;
import com.okta.oidc.net.params.GrantTypes;
import com.okta.oidc.net.request.ProviderConfiguration;
import com.okta.oidc.net.request.TokenRequest;
import com.okta.oidc.util.AuthorizationException;
import java.io.IOException;
import java.lang.reflect.ParameterizedType;
import java.util.Collections;
import java.util.List;

/* loaded from: classes2.dex */
public class OktaIdToken {
    private static final int NUMBER_OF_SECTIONS = 3;
    private static final int SECONDS_IN_ONE_MINUTE = 60;
    Claims mClaims;
    Header mHeader;
    String mSignature;
    private static final Long MILLIS_PER_SECOND = 1000L;
    private static final Long TEN_MINUTES_IN_SECONDS = 600L;

    /* loaded from: classes2.dex */
    public static class Address {
        public String country;
        public String locality;
        public String postal_code;
        public String region;
        public String street_address;
    }

    /* loaded from: classes2.dex */
    private static final class ArrayTypeAdapter extends r<List<Object>> {
        static final s CREATE = new s() { // from class: com.okta.oidc.OktaIdToken.ArrayTypeAdapter.1
            @Override // com.google.gson.s
            public <T> r<T> create(e eVar, com.google.gson.u.a<T> aVar) {
                if (aVar.getRawType() != List.class) {
                    return null;
                }
                return new ArrayTypeAdapter(eVar.m(this, aVar), eVar.k(com.google.gson.u.a.get(((ParameterizedType) aVar.getType()).getActualTypeArguments()[0])));
            }
        };
        final r<List<Object>> mDelegate;
        final r<Object> mElement;

        ArrayTypeAdapter(r<List<Object>> rVar, r<Object> rVar2) {
            this.mDelegate = rVar;
            this.mElement = rVar2;
        }

        @Override // com.google.gson.r
        public List<Object> read(com.google.gson.stream.a aVar) throws IOException {
            return aVar.z() != JsonToken.BEGIN_ARRAY ? Collections.singletonList(this.mElement.read(aVar)) : this.mDelegate.read(aVar);
        }

        @Override // com.google.gson.r
        public void write(b bVar, List<Object> list) throws IOException {
            r rVar;
            Object obj;
            if (list.size() == 1) {
                rVar = this.mElement;
                obj = list.get(0);
            } else {
                rVar = this.mDelegate;
                obj = list;
            }
            rVar.write(bVar, obj);
        }
    }

    /* loaded from: classes2.dex */
    public static class Claims {
        public Address address;
        public List<String> amr;
        public String at_hash;
        public List<String> aud;
        public int auth_time;
        public String email;
        public String email_verified;
        public int exp;
        public String family_name;
        public String given_name;
        public List<String> groups;
        public int iat;
        public String idp;
        public String iss;
        public String jti;
        public String locale;
        public String middle_name;
        public String name;
        public String nickname;
        public String nonce;
        public String phone_number;
        public String preferred_username;
        public String profile;
        public String sub;
        public int updated_at;
        public String ver;
        public String zoneinfo;
    }

    /* loaded from: classes2.dex */
    public interface Clock {
        long getCurrentTimeMillis();
    }

    /* loaded from: classes2.dex */
    public static final class DefaultValidator implements Validator {
        private final Clock clock;

        public DefaultValidator(Clock clock) {
            this.clock = clock;
        }

        @Override // com.okta.oidc.OktaIdToken.Validator
        public void validate(OktaIdToken oktaIdToken) throws AuthorizationException {
            long currentTimeMillis = this.clock.getCurrentTimeMillis() / OktaIdToken.MILLIS_PER_SECOND.longValue();
            Claims claims = oktaIdToken.mClaims;
            if (currentTimeMillis > claims.exp) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.ID_TOKEN_EXPIRED);
            }
            if (Math.abs(currentTimeMillis - claims.iat) > OktaIdToken.TEN_MINUTES_IN_SECONDS.longValue()) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.createWrongTokenIssuedTime(OktaIdToken.TEN_MINUTES_IN_SECONDS.intValue() / 60));
            }
        }
    }

    /* loaded from: classes2.dex */
    public static class Header {
        public String alg;
        public String kid;
    }

    /* loaded from: classes2.dex */
    public interface Validator {
        void validate(OktaIdToken oktaIdToken) throws AuthorizationException;
    }

    private OktaIdToken(Header header, Claims claims, String str) {
        this.mHeader = header;
        this.mClaims = claims;
        this.mSignature = str;
    }

    public static OktaIdToken parseIdToken(String str) throws IllegalArgumentException {
        String[] split = str.split("\\.");
        if (split.length < 3) {
            throw new IllegalArgumentException("IdToken missing header, claims or signature section");
        }
        e b2 = new f().c(ArrayTypeAdapter.CREATE).b();
        return new OktaIdToken((Header) b2.i(new String(Base64.decode(split[0], 8)), Header.class), (Claims) b2.i(new String(Base64.decode(split[1], 8)), Claims.class), new String(Base64.decode(split[2], 8)));
    }

    public Claims getClaims() {
        return this.mClaims;
    }

    public Header getHeader() {
        return this.mHeader;
    }

    public String getSignature() {
        return this.mSignature;
    }

    public void validate(TokenRequest tokenRequest, Validator validator) throws AuthorizationException {
        OIDCConfig config = tokenRequest.getConfig();
        ProviderConfiguration providerConfiguration = tokenRequest.getProviderConfiguration();
        if (!"RS256".equals(this.mHeader.alg)) {
            throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.createNotSupportedAlgorithmException(this.mHeader.alg));
        }
        String str = providerConfiguration.issuer;
        if (str != null) {
            if (!this.mClaims.iss.equals(str)) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.ISSUER_MISMATCH);
            }
            Uri parse = Uri.parse(this.mClaims.iss);
            if (!parse.getScheme().equals("https")) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.ISSUER_NOT_HTTPS_URL);
            }
            if (TextUtils.isEmpty(parse.getHost())) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.ISSUER_HOST_EMPTY);
            }
            if (parse.getFragment() != null || parse.getQueryParameterNames().size() > 0) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.ISSUER_URL_CONTAIN_OTHER_COMPONENTS);
            }
        }
        if (!this.mClaims.aud.contains(config.getClientId())) {
            throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.AUDIENCE_MISMATCH);
        }
        validator.validate(this);
        if (GrantTypes.AUTHORIZATION_CODE.equals(tokenRequest.getGrantType())) {
            if (!TextUtils.equals(this.mClaims.nonce, tokenRequest.getNonce())) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.NONCE_MISMATCH);
            }
        }
        if (tokenRequest.getMaxAge() != null && this.mClaims.auth_time <= 0) {
            throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.AUTH_TIME_MISSING);
        }
    }
}
