package com.okta.oidc;

import android.net.Uri;
import android.text.TextUtils;
import android.util.Base64;
import androidx.annotation.NonNull;
import androidx.annotation.RestrictTo;
import androidx.annotation.VisibleForTesting;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import com.google.gson.TypeAdapter;
import com.google.gson.TypeAdapterFactory;
import com.google.gson.reflect.TypeToken;
import com.google.gson.stream.JsonReader;
import com.google.gson.stream.JsonToken;
import com.google.gson.stream.JsonWriter;
import com.okta.oidc.net.request.ProviderConfiguration;
import com.okta.oidc.net.request.TokenRequest;
import com.okta.oidc.util.AuthorizationException;
import java.io.IOException;
import java.lang.reflect.ParameterizedType;
import java.util.Collections;
import java.util.List;
import yg.AbstractC0625;
import yg.C0520;
import yg.C0530;
import yg.C0535;
import yg.C0553;
import yg.C0601;
import yg.C0635;
import yg.C0648;
import yg.C0697;

/* loaded from: classes3.dex */
public class OktaIdToken {
    public static final int NUMBER_OF_SECTIONS = 3;
    public static final int SECONDS_IN_ONE_MINUTE = 60;

    @VisibleForTesting
    public Claims mClaims;

    @VisibleForTesting
    public Header mHeader;

    @VisibleForTesting
    public String mSignature;
    public static final Long MILLIS_PER_SECOND = 1000L;
    public static final Long TEN_MINUTES_IN_SECONDS = 600L;

    /* loaded from: classes3.dex */
    public static class Address {
        public String country;
        public String locality;
        public String postal_code;
        public String region;
        public String street_address;
    }

    /* loaded from: classes3.dex */
    public static final class ArrayTypeAdapter extends TypeAdapter<List<Object>> {
        public static final TypeAdapterFactory CREATE = new TypeAdapterFactory() { // from class: com.okta.oidc.OktaIdToken.ArrayTypeAdapter.1
            @Override // com.google.gson.TypeAdapterFactory
            public <T> TypeAdapter<T> create(Gson gson, TypeToken<T> typeToken) {
                if (typeToken.getRawType() != List.class) {
                    return null;
                }
                return new ArrayTypeAdapter(gson.getDelegateAdapter(this, typeToken), gson.getAdapter(TypeToken.get(((ParameterizedType) typeToken.getType()).getActualTypeArguments()[0])));
            }
        };
        public final TypeAdapter<List<Object>> mDelegate;
        public final TypeAdapter<Object> mElement;

        public ArrayTypeAdapter(TypeAdapter<List<Object>> typeAdapter, TypeAdapter<Object> typeAdapter2) {
            this.mDelegate = typeAdapter;
            this.mElement = typeAdapter2;
        }

        @Override // com.google.gson.TypeAdapter
        public List<Object> read(JsonReader jsonReader) throws IOException {
            return jsonReader.peek() != JsonToken.BEGIN_ARRAY ? Collections.singletonList(this.mElement.read(jsonReader)) : this.mDelegate.read(jsonReader);
        }

        @Override // com.google.gson.TypeAdapter
        public void write(JsonWriter jsonWriter, List<Object> list) throws IOException {
            if (list.size() == 1) {
                this.mElement.write(jsonWriter, list.get(0));
            } else {
                this.mDelegate.write(jsonWriter, list);
            }
        }
    }

    /* loaded from: classes3.dex */
    public static class Claims {
        public Address address;
        public List<String> amr;
        public String at_hash;
        public List<String> aud;
        public int auth_time;
        public String email;
        public String email_verified;
        public int exp;
        public String family_name;
        public String given_name;
        public List<String> groups;
        public int iat;
        public String idp;
        public String iss;
        public String jti;
        public String locale;
        public String middle_name;
        public String name;
        public String nickname;
        public String nonce;
        public String phone_number;
        public String preferred_username;
        public String profile;
        public String sub;
        public int updated_at;
        public String ver;
        public String zoneinfo;
    }

    @RestrictTo({RestrictTo.Scope.LIBRARY})
    /* loaded from: classes3.dex */
    public interface Clock {
        long getCurrentTimeMillis();
    }

    @RestrictTo({RestrictTo.Scope.LIBRARY})
    /* loaded from: classes3.dex */
    public static final class DefaultValidator implements Validator {
        public final Clock clock;

        public DefaultValidator(Clock clock) {
            this.clock = clock;
        }

        @Override // com.okta.oidc.OktaIdToken.Validator
        public void validate(OktaIdToken oktaIdToken) throws AuthorizationException {
            long currentTimeMillis = this.clock.getCurrentTimeMillis() / OktaIdToken.MILLIS_PER_SECOND.longValue();
            Claims claims = oktaIdToken.mClaims;
            if (currentTimeMillis > claims.exp) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.ID_TOKEN_EXPIRED);
            }
            if (Math.abs(currentTimeMillis - claims.iat) > OktaIdToken.TEN_MINUTES_IN_SECONDS.longValue()) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.createWrongTokenIssuedTime(OktaIdToken.TEN_MINUTES_IN_SECONDS.intValue() / 60));
            }
        }
    }

    /* loaded from: classes3.dex */
    public static class Header {
        public String alg;
        public String kid;
    }

    /* loaded from: classes3.dex */
    public interface Validator {
        void validate(OktaIdToken oktaIdToken) throws AuthorizationException;
    }

    public OktaIdToken(Header header, Claims claims, String str) {
        this.mHeader = header;
        this.mClaims = claims;
        this.mSignature = str;
    }

    public static OktaIdToken parseIdToken(@NonNull String str) throws IllegalArgumentException {
        String[] split = str.split(C0635.m1169("\u001c6", (short) (C0535.m903() ^ 13342)));
        if (split.length >= 3) {
            Gson create = new GsonBuilder().registerTypeAdapterFactory(ArrayTypeAdapter.CREATE).create();
            return new OktaIdToken((Header) create.fromJson(new String(Base64.decode(split[0], 8)), Header.class), (Claims) create.fromJson(new String(Base64.decode(split[1], 8)), Claims.class), new String(Base64.decode(split[2], 8)));
        }
        short m1364 = (short) (C0697.m1364() ^ 26787);
        int[] iArr = new int["3O@\\YT^\u0011_\\gh_e_\u0019b`]acq,!eoensz(x|+\u007fvu}q\u0006\b\u0006y5\n|{\u000e\u0004\u000b\u000b".length()];
        C0648 c0648 = new C0648("3O@\\YT^\u0011_\\gh_e_\u0019b`]acq,!eoensz(x|+\u007fvu}q\u0006\b\u0006y5\n|{\u000e\u0004\u000b\u000b");
        int i = 0;
        while (c0648.m1212()) {
            int m1211 = c0648.m1211();
            AbstractC0625 m1151 = AbstractC0625.m1151(m1211);
            iArr[i] = m1151.mo828(m1151.mo831(m1211) - (((m1364 + m1364) + m1364) + i));
            i++;
        }
        throw new IllegalArgumentException(new String(iArr, 0, i));
    }

    public Claims getClaims() {
        return this.mClaims;
    }

    public Header getHeader() {
        return this.mHeader;
    }

    public String getSignature() {
        return this.mSignature;
    }

    @RestrictTo({RestrictTo.Scope.LIBRARY})
    public void validate(TokenRequest tokenRequest, Validator validator) throws AuthorizationException {
        OIDCConfig config = tokenRequest.getConfig();
        ProviderConfiguration providerConfiguration = tokenRequest.getProviderConfiguration();
        String str = this.mHeader.alg;
        short m825 = (short) (C0520.m825() ^ (-24258));
        int[] iArr = new int["\u0001\u0001^``".length()];
        C0648 c0648 = new C0648("\u0001\u0001^``");
        int i = 0;
        while (c0648.m1212()) {
            int m1211 = c0648.m1211();
            AbstractC0625 m1151 = AbstractC0625.m1151(m1211);
            iArr[i] = m1151.mo828(m825 + m825 + i + m1151.mo831(m1211));
            i++;
        }
        if (!new String(iArr, 0, i).equals(str)) {
            throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.createNotSupportedAlgorithmException(this.mHeader.alg));
        }
        String str2 = providerConfiguration.issuer;
        if (str2 != null) {
            if (!this.mClaims.iss.equals(str2)) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.ISSUER_MISMATCH);
            }
            Uri parse = Uri.parse(this.mClaims.iss);
            if (!parse.getScheme().equals(C0553.m937("w\u0003\u0002|~", (short) (C0601.m1083() ^ 32362)))) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.ISSUER_NOT_HTTPS_URL);
            }
            if (TextUtils.isEmpty(parse.getHost())) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.ISSUER_HOST_EMPTY);
            }
            if (parse.getFragment() != null || parse.getQueryParameterNames().size() > 0) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.ISSUER_URL_CONTAIN_OTHER_COMPONENTS);
            }
        }
        if (!this.mClaims.aud.contains(config.getClientId())) {
            throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.AUDIENCE_MISMATCH);
        }
        validator.validate(this);
        if (C0530.m875("\u000f\" \u0013\u0019\u001b\u0011!\u0007\u0019\r\u0012\u0010\u007f\u0003\u000e\u0002\u0002", (short) (C0520.m825() ^ (-13731)), (short) (C0520.m825() ^ (-13982))).equals(tokenRequest.getGrantType())) {
            if (!TextUtils.equals(this.mClaims.nonce, tokenRequest.getNonce())) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.NONCE_MISMATCH);
            }
        }
        if (tokenRequest.getMaxAge() != null && this.mClaims.auth_time <= 0) {
            throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, AuthorizationException.TokenValidationError.AUTH_TIME_MISSING);
        }
    }
}
