package com.okta.spring.oauth.code;

import com.okta.spring.config.OktaOAuth2Properties;
import com.okta.spring.oauth.OAuth2AccessTokenValidationException;
import com.okta.spring.oauth.OktaTokenServicesConfig;
import org.springframework.boot.autoconfigure.AutoConfigureBefore;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2SsoDefaultConfiguration;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.context.annotation.Primary;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;

@AutoConfigureBefore({OAuth2SsoDefaultConfiguration.class})
@Configuration
@ConditionalOnBean({OAuth2SsoDefaultConfiguration.class})
@Import({OktaTokenServicesConfig.class})
/* loaded from: input_file:com/okta/spring/oauth/code/OktaOAuthCodeFlowConfiguration.class */
public class OktaOAuthCodeFlowConfiguration {

    @Configuration
    @ConditionalOnProperty(name = {"okta.oauth2.localTokenValidation"}, matchIfMissing = true)
    /* loaded from: input_file:com/okta/spring/oauth/code/OktaOAuthCodeFlowConfiguration$LocalTokenValidationConfig.class */
    public static class LocalTokenValidationConfig {
        @Bean
        @Primary
        protected ResourceServerTokenServices resourceServerTokenServices(TokenStore tokenStore, OktaOAuth2Properties oktaOAuth2Properties) {
            Non500ErrorDefaultTokenServices non500ErrorDefaultTokenServices = new Non500ErrorDefaultTokenServices(oktaOAuth2Properties.getAudience());
            non500ErrorDefaultTokenServices.setTokenStore(tokenStore);
            return non500ErrorDefaultTokenServices;
        }
    }

    /* loaded from: input_file:com/okta/spring/oauth/code/OktaOAuthCodeFlowConfiguration$Non500ErrorDefaultTokenServices.class */
    static class Non500ErrorDefaultTokenServices extends DefaultTokenServices {
        private final String audience;

        Non500ErrorDefaultTokenServices(String str) {
            this.audience = str;
        }

        public OAuth2Authentication loadAuthentication(String str) {
            OAuth2Authentication loadAuthentication = super.loadAuthentication(str);
            if (loadAuthentication.getOAuth2Request().getResourceIds().contains(this.audience)) {
                return loadAuthentication;
            }
            throw new OAuth2AccessTokenValidationException("Invalid token, 'aud' claim does not contain the expected audience of: " + this.audience);
        }
    }
}
