package org.springframework.security.oauth2.server.authorization.authentication;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.oidc.OidcClientMetadataClaimNames;
import org.springframework.util.Assert;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/authentication/PublicClientAuthenticationProvider.class */
public final class PublicClientAuthenticationProvider implements AuthenticationProvider {
    private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1";
    private final Log logger = LogFactory.getLog(getClass());
    private final RegisteredClientRepository registeredClientRepository;
    private final CodeVerifierAuthenticator codeVerifierAuthenticator;

    public PublicClientAuthenticationProvider(RegisteredClientRepository registeredClientRepository, OAuth2AuthorizationService oAuth2AuthorizationService) {
        Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null");
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        this.registeredClientRepository = registeredClientRepository;
        this.codeVerifierAuthenticator = new CodeVerifierAuthenticator(oAuth2AuthorizationService);
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken = (OAuth2ClientAuthenticationToken) authentication;
        if (!ClientAuthenticationMethod.NONE.equals(oAuth2ClientAuthenticationToken.getClientAuthenticationMethod())) {
            return null;
        }
        RegisteredClient findByClientId = this.registeredClientRepository.findByClientId(oAuth2ClientAuthenticationToken.getPrincipal().toString());
        if (findByClientId == null) {
            throwInvalidClient(OidcClientMetadataClaimNames.CLIENT_ID);
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Retrieved registered client");
        }
        if (!findByClientId.getClientAuthenticationMethods().contains(oAuth2ClientAuthenticationToken.getClientAuthenticationMethod())) {
            throwInvalidClient("authentication_method");
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Validated client authentication parameters");
        }
        this.codeVerifierAuthenticator.authenticateRequired(oAuth2ClientAuthenticationToken, findByClientId);
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Authenticated public client");
        }
        return new OAuth2ClientAuthenticationToken(findByClientId, oAuth2ClientAuthenticationToken.getClientAuthenticationMethod(), null);
    }

    public boolean supports(Class<?> cls) {
        return OAuth2ClientAuthenticationToken.class.isAssignableFrom(cls);
    }

    private static void throwInvalidClient(String str) {
        throw new OAuth2AuthenticationException(new OAuth2Error("invalid_client", "Client authentication failed: " + str, ERROR_URI));
    }
}
