package net.openid.appauth;

import android.net.Uri;
import android.text.TextUtils;
import android.util.Base64;
import androidx.media3.common.text.SpanUtil;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Set;
import net.openid.appauth.AuthorizationException;
import org.json.JSONException;
import org.json.JSONObject;

/* loaded from: classes2.dex */
public final class IdToken {
    public static final Set BUILT_IN_CLAIMS = SpanUtil.builtInParams("iss", "sub", "aud", "exp", "iat", "nonce", "azp");
    public final ArrayList audience;
    public final String authorizedParty;
    public final Long expiration;
    public final Long issuedAt;
    public final String issuer;
    public final String nonce;

    /* loaded from: classes2.dex */
    public final class IdTokenException extends Exception {
    }

    public IdToken(String str, ArrayList arrayList, Long l, Long l2, String str2, String str3) {
        this.issuer = str;
        this.audience = arrayList;
        this.expiration = l;
        this.issuedAt = l2;
        this.nonce = str2;
        this.authorizedParty = str3;
    }

    public static IdToken from(String str) {
        ArrayList arrayList;
        String[] split = str.split("\\.");
        if (split.length <= 1) {
            throw new Exception("ID token must have both header and claims section");
        }
        new JSONObject(new String(Base64.decode(split[0], 8)));
        JSONObject jSONObject = new JSONObject(new String(Base64.decode(split[1], 8)));
        String string = JsonUtil.getString(jSONObject, "iss");
        JsonUtil.getString(jSONObject, "sub");
        try {
        } catch (JSONException unused) {
            ArrayList arrayList2 = new ArrayList();
            arrayList2.add(JsonUtil.getString(jSONObject, "aud"));
            arrayList = arrayList2;
        }
        if (!jSONObject.has("aud")) {
            throw new JSONException("field \"aud\" not found in json object");
        }
        arrayList = JsonUtil.toStringList(jSONObject.getJSONArray("aud"));
        Long valueOf = Long.valueOf(jSONObject.getLong("exp"));
        Long valueOf2 = Long.valueOf(jSONObject.getLong("iat"));
        String stringIfDefined = JsonUtil.getStringIfDefined(jSONObject, "nonce");
        String stringIfDefined2 = JsonUtil.getStringIfDefined(jSONObject, "azp");
        Iterator it = BUILT_IN_CLAIMS.iterator();
        while (it.hasNext()) {
            jSONObject.remove((String) it.next());
        }
        JsonUtil.toMap(jSONObject);
        return new IdToken(string, arrayList, valueOf, valueOf2, stringIfDefined, stringIfDefined2);
    }

    public final void validate(TokenRequest tokenRequest, SystemClock systemClock, boolean z) {
        AuthorizationServiceDiscovery authorizationServiceDiscovery = tokenRequest.configuration.discoveryDoc;
        if (authorizationServiceDiscovery != null) {
            String str = (String) authorizationServiceDiscovery.get(AuthorizationServiceDiscovery.ISSUER);
            String str2 = this.issuer;
            if (!str2.equals(str)) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new Exception("Issuer mismatch"));
            }
            Uri parse = Uri.parse(str2);
            if (!z && !parse.getScheme().equals("https")) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new Exception("Issuer must be an https URL"));
            }
            if (TextUtils.isEmpty(parse.getHost())) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new Exception("Issuer host can not be empty"));
            }
            if (parse.getFragment() != null || parse.getQueryParameterNames().size() > 0) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new Exception("Issuer URL should not containt query parameters or fragment components"));
            }
        }
        ArrayList arrayList = this.audience;
        String str3 = tokenRequest.clientId;
        if (!arrayList.contains(str3) && !str3.equals(this.authorizedParty)) {
            throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new Exception("Audience mismatch"));
        }
        systemClock.getClass();
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        if (currentTimeMillis > this.expiration.longValue()) {
            throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new Exception("ID Token expired"));
        }
        if (Math.abs(currentTimeMillis - this.issuedAt.longValue()) > 600) {
            throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new Exception("Issued at time is more than 10 minutes before or after the current time"));
        }
        if ("authorization_code".equals(tokenRequest.grantType)) {
            if (!TextUtils.equals(this.nonce, tokenRequest.nonce)) {
                throw AuthorizationException.fromTemplate(AuthorizationException.GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new Exception("Nonce mismatch"));
            }
        }
    }
}
