package it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.bearer;

import it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.OpenIdConnectConfiguration;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;

/* loaded from: input_file:WEB-INF/lib/geostore-rest-impl-2.2.0.jar:it/geosolutions/geostore/services/rest/security/oauth2/openid_connect/bearer/AudienceAccessTokenValidator.class */
public class AudienceAccessTokenValidator implements OpenIdTokenValidator {
    private final String AUDIENCE_CLAIM_NAME = "aud";
    private final String APPID_CLAIM_NAME = "appid";
    private final String KEYCLOAK_AUDIENCE_CLAIM_NAME = IdTokenClaimNames.AZP;

    @Override // it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.bearer.OpenIdTokenValidator
    public void verifyToken(OpenIdConnectConfiguration openIdConnectConfiguration, Map map, Map map2) throws Exception {
        String clientId = openIdConnectConfiguration.getClientId();
        if (map.get("aud") != null) {
            if (map.get("aud").equals(clientId)) {
                return;
            }
            if ((map.get("aud") instanceof Collection) && ((Collection) map.get("aud")).contains(clientId)) {
                return;
            }
        }
        if (map.get("appid") == null || !map.get("appid").equals(clientId)) {
            Object obj = map.get(IdTokenClaimNames.AZP);
            if (obj != null) {
                if (obj instanceof String) {
                    if (obj.equals(openIdConnectConfiguration.getClientId())) {
                        return;
                    }
                } else if (obj instanceof List) {
                    for (Object obj2 : (List) obj) {
                        if ((obj2 instanceof String) && obj2.equals(clientId)) {
                            return;
                        }
                    }
                }
            }
            throw new Exception("JWT Bearer token - probably not meant for this application");
        }
    }
}
