package com.duosecurity;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.interfaces.Verification;
import com.duosecurity.exception.DuoException;

/* loaded from: input_file:com/duosecurity/DuoIdTokenValidator.class */
public final class DuoIdTokenValidator implements TokenValidator {
    private static final long DUO_LEEWAY = 60;
    private static final String HTTPS = "https://";
    private static final String ISSUER_PATH = "/oauth/v1/token";
    private static final String NONCE_CLAIM = "nonce";
    private static final String USERNAME_CLAIM = "preferred_username";
    private final String clientSecret;
    private final String username;
    private final String audience;
    private final String issuer;
    private final String nonce;
    private long leeway;

    public DuoIdTokenValidator(String str, String str2, String str3, String str4) {
        this(str, str2, str3, str4, null);
    }

    public DuoIdTokenValidator(String str, String str2, String str3, String str4, String str5) {
        this.leeway = DUO_LEEWAY;
        this.clientSecret = str;
        this.username = str2;
        this.audience = str3;
        this.issuer = HTTPS + str4 + ISSUER_PATH;
        this.nonce = str5;
    }

    @Override // com.duosecurity.TokenValidator
    public DecodedJWT validateAndDecode(String str) throws DuoException {
        if (str == null) {
            throw new DuoException("ID Token verification failed: Null token");
        }
        try {
            return buildVerifier().verify(str);
        } catch (JWTVerificationException e) {
            throw new DuoException("ID Token verification failed", e);
        }
    }

    private JWTVerifier buildVerifier() {
        Verification acceptLeeway = JWT.require(Algorithm.HMAC512(this.clientSecret)).withIssuer(this.issuer).withAudience(new String[]{this.audience}).withClaim(USERNAME_CLAIM, this.username).acceptLeeway(this.leeway);
        if (this.nonce != null) {
            acceptLeeway.withClaim(NONCE_CLAIM, this.nonce);
        }
        return acceptLeeway.build();
    }
}
