package net.openid.appauth;

import android.net.Uri;
import android.text.TextUtils;
import android.util.Base64;
import com.adjust.sdk.Constants;
import java.util.ArrayList;
import java.util.List;
import net.openid.appauth.AuthorizationException;
import org.json.JSONException;
import org.json.JSONObject;

/* loaded from: classes2.dex */
class IdToken {
    private static final String KEY_AUDIENCE = "aud";
    private static final String KEY_EXPIRATION = "exp";
    private static final String KEY_ISSUED_AT = "iat";
    private static final String KEY_ISSUER = "iss";
    private static final String KEY_NONCE = "nonce";
    private static final String KEY_SUBJECT = "sub";
    private static final Long MILLIS_PER_SECOND = 1000L;
    private static final Long TEN_MINUTES_IN_SECONDS = 600L;
    public final List<String> audience;
    public final Long expiration;
    public final Long issuedAt;
    public final String issuer;
    public final String nonce;
    public final String subject;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes2.dex */
    public static class IdTokenException extends Exception {
        IdTokenException(String str) {
            super(str);
        }
    }

    IdToken(String str, String str2, List<String> list, Long l, Long l2, String str3) {
        this.issuer = str;
        this.subject = str2;
        this.audience = list;
        this.expiration = l;
        this.issuedAt = l2;
        this.nonce = str3;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Multi-variable type inference failed */
    public static IdToken from(String str) throws JSONException, IdTokenException {
        List list;
        String[] split = str.split("\\.");
        if (split.length <= 1) {
            throw new IdTokenException("ID token must have both header and claims section");
        }
        parseJwtSection(split[0]);
        JSONObject parseJwtSection = parseJwtSection(split[1]);
        String string = JsonUtil.getString(parseJwtSection, KEY_ISSUER);
        String string2 = JsonUtil.getString(parseJwtSection, KEY_SUBJECT);
        try {
            list = JsonUtil.getStringList(parseJwtSection, KEY_AUDIENCE);
        } catch (JSONException unused) {
            List arrayList = new ArrayList();
            arrayList.add(JsonUtil.getString(parseJwtSection, KEY_AUDIENCE));
            list = arrayList;
        }
        return new IdToken(string, string2, list, Long.valueOf(parseJwtSection.getLong(KEY_EXPIRATION)), Long.valueOf(parseJwtSection.getLong(KEY_ISSUED_AT)), JsonUtil.getStringIfDefined(parseJwtSection, KEY_NONCE));
    }

    private static JSONObject parseJwtSection(String str) throws JSONException {
        return new JSONObject(new String(Base64.decode(str, 8)));
    }

    void validate(TokenRequest tokenRequest, Clock clock) throws AuthorizationException {
        validate(tokenRequest, clock, false, false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void validate(TokenRequest tokenRequest, Clock clock, boolean z, boolean z2) throws AuthorizationException {
        AuthorizationServiceDiscovery authorizationServiceDiscovery = tokenRequest.configuration.discoveryDoc;
        if (authorizationServiceDiscovery != null) {
            if (!this.issuer.equals(authorizationServiceDiscovery.getIssuer())) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new IdTokenException("Issuer mismatch"));
            }
            Uri parse = Uri.parse(this.issuer);
            if (!z && !parse.getScheme().equals(Constants.SCHEME)) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new IdTokenException("Issuer must be an https URL"));
            }
            if (TextUtils.isEmpty(parse.getHost())) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new IdTokenException("Issuer host can not be empty"));
            }
            if (parse.getFragment() != null || parse.getQueryParameterNames().size() > 0) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new IdTokenException("Issuer URL should not containt query parameters or fragment components"));
            }
        }
        if (!this.audience.contains(tokenRequest.clientId)) {
            throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new IdTokenException("Audience mismatch"));
        }
        Long valueOf = Long.valueOf(clock.getCurrentTimeMillis() / MILLIS_PER_SECOND.longValue());
        if (valueOf.longValue() > this.expiration.longValue()) {
            throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new IdTokenException("ID Token expired"));
        }
        if (Math.abs(valueOf.longValue() - this.issuedAt.longValue()) > TEN_MINUTES_IN_SECONDS.longValue()) {
            throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new IdTokenException("Issued at time is more than 10 minutes before or after the current time"));
        }
        if (GrantTypeValues.AUTHORIZATION_CODE.equals(tokenRequest.grantType)) {
            String str = tokenRequest.nonce;
            if (!z2 && !TextUtils.equals(this.nonce, str)) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new IdTokenException("Nonce mismatch"));
            }
        }
    }
}
