package no.nav.common.token_client.client;

import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.JWTBearerGrant;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.TokenResponse;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import no.nav.common.token_client.cache.TokenCache;
import no.nav.common.token_client.utils.TokenClientUtils;
import no.nav.common.token_client.utils.TokenUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:no/nav/common/token_client/client/AzureAdOnBehalfOfTokenClient.class */
public class AzureAdOnBehalfOfTokenClient extends AbstractTokenClient implements OnBehalfOfTokenClient {
    private static final Logger log = LoggerFactory.getLogger(AzureAdOnBehalfOfTokenClient.class);

    public AzureAdOnBehalfOfTokenClient(String str, String str2, String str3, TokenCache tokenCache) {
        super(str, str2, str3, tokenCache);
    }

    @Override // no.nav.common.token_client.client.OnBehalfOfTokenClient
    public String exchangeOnBehalfOfToken(String str, String str2) {
        String str3 = str + "-" + TokenUtils.hashToken(str2);
        return (String) Optional.ofNullable(this.tokenCache).map(tokenCache -> {
            return tokenCache.getFromCacheOrTryProvider(str3, () -> {
                return exchangeToken(str, str2);
            });
        }).orElseGet(() -> {
            return exchangeToken(str, str2);
        });
    }

    private String exchangeToken(String str, String str2) {
        TokenResponse parse = TokenResponse.parse(new TokenRequest(this.tokenEndpoint, TokenClientUtils.signedClientAssertion(TokenClientUtils.clientAssertionHeader(this.privateJwkKeyId), TokenClientUtils.clientAssertionClaims(this.clientId, this.tokenEndpoint.toString()), this.assertionSigner), new JWTBearerGrant(SignedJWT.parse(str2)), new Scope(new String[]{str}), (List) null, additionalOboClaims(str, str2)).toHTTPRequest().send());
        if (parse.indicatesSuccess()) {
            return parse.toSuccessResponse().getTokens().getAccessToken().getValue();
        }
        log.error("Failed to fetch AzureAD OBO token for scope={}. Error: {}", str, parse.toErrorResponse().toJSONObject().toString());
        throw new RuntimeException("Failed to fetch AzureAD OBO token for scope=" + str);
    }

    private static Map<String, List<String>> additionalOboClaims(String str, String str2) {
        HashMap hashMap = new HashMap();
        hashMap.put("audience", List.of(str));
        hashMap.put("subject_token", List.of(str2));
        hashMap.put("requested_token_use", List.of("on_behalf_of"));
        hashMap.put("subject_token_type", List.of("urn:ietf:params:oauth:token-type:jwt"));
        return hashMap;
    }
}
