package net.shibboleth.idp.plugin.oidc.op.token.support;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.util.JSONObjectUtils;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCClaimsRequest;
import com.nimbusds.openid.connect.sdk.claims.ACR;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSet;
import java.net.URI;
import java.text.ParseException;
import java.time.Instant;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.NotThreadSafe;
import net.minidev.json.JSONObject;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.annotation.constraint.NotLive;
import net.shibboleth.utilities.java.support.annotation.constraint.Unmodifiable;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.security.DataSealer;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@NotThreadSafe
/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/token/support/TokenClaimsSet.class */
public class TokenClaimsSet {

    @NotEmpty
    @Nonnull
    public static final String KEY_AC_ID = "jti";

    @NotEmpty
    @Nonnull
    public static final String KEY_TYPE = "type";

    @NotEmpty
    @Nonnull
    public static final String KEY_ISSUER = "iss";

    @NotEmpty
    @Nonnull
    public static final String KEY_USER_PRINCIPAL = "prncpl";

    @NotEmpty
    @Nonnull
    public static final String KEY_SUBJECT = "sub";

    @NotEmpty
    @Nonnull
    public static final String KEY_CLIENTID = "client_id";

    @NotEmpty
    @Nonnull
    public static final String KEY_LEGACY_CLIENTID = "clid";

    @NotEmpty
    @Nonnull
    public static final String KEY_EXPIRATION_TIME = "exp";

    @NotEmpty
    @Nonnull
    public static final String KEY_NOTBEFORE_TIME = "nbf";

    @NotEmpty
    @Nonnull
    public static final String KEY_ISSUED_AT = "iat";

    @NotEmpty
    @Nonnull
    public static final String KEY_ACR = "acr";

    @NotEmpty
    @Nonnull
    public static final String KEY_NONCE = "nonce";

    @NotEmpty
    @Nonnull
    public static final String KEY_AUTH_TIME = "auth_time";

    @NotEmpty
    @Nonnull
    public static final String KEY_REDIRECT_URI = "redirect_uri";

    @NotEmpty
    @Nonnull
    public static final String KEY_SCOPE = "scope";

    @NotEmpty
    @Nonnull
    public static final String KEY_AUDIENCE = "aud";

    @NotEmpty
    @Nonnull
    public static final String KEY_CLAIMS = "claims";

    @NotEmpty
    @Nonnull
    public static final String KEY_DELIVERY_CLAIMS = "dl_claims";

    @NotEmpty
    @Nonnull
    public static final String KEY_DELIVERY_CLAIMS_IDTOKEN = "dl_claims_id";

    @NotEmpty
    @Nonnull
    public static final String KEY_DELIVERY_CLAIMS_USERINFO = "dl_claims_ui";

    @NotEmpty
    @Nonnull
    public static final String KEY_CONSENTED_CLAIMS = "cnsntd_claims";

    @NotEmpty
    @Nonnull
    public static final String KEY_CONSENT_ENABLED = "cnsnt";

    @NotEmpty
    @Nonnull
    public static final String KEY_CODE_CHALLENGE = "cc";

    @NotEmpty
    @Nonnull
    public static final String KEY_SEALED_FOR_OP = "for_op";

    @NotEmpty
    @Nonnull
    public static final String KEY_ROOT_JTI = "root_jti";

    @Nullable
    private JWTClaimsSet tokenClaimsSet;

    @Nonnull
    private Logger log = LoggerFactory.getLogger(TokenClaimsSet.class);

    /* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/token/support/TokenClaimsSet$Builder.class */
    public static abstract class Builder<T extends TokenClaimsSet> {

        @NotEmpty
        @Nonnull
        protected String jwtid;

        @Nullable
        protected ClientID rpId;

        @NotEmpty
        @Nullable
        protected String iss;

        @NotEmpty
        @Nullable
        protected String principal;

        @NotEmpty
        @Nullable
        protected String sub;

        @Nullable
        protected ACR acr;

        @Nullable
        protected Instant iat;

        @Nullable
        protected Instant exp;

        @Nullable
        protected Instant nbt;

        @Nullable
        protected Instant authTime;

        @Nullable
        protected URI redirect;

        @Nullable
        protected Scope reqScope;

        @Nullable
        protected Nonce nonce;

        @Nullable
        protected OIDCClaimsRequest reqClaims;

        @Nullable
        protected ClaimsSet dlClaims;

        @Nullable
        protected ClaimsSet dlClaimsID;

        @Nullable
        protected ClaimsSet dlClaimsUI;

        @Nullable
        protected List<Object> consentedClaims;
        protected Boolean consentEnabled;

        @Nullable
        protected String codeChallenge;

        @Nullable
        protected String rootTokenId;

        @NonnullElements
        @Nonnull
        protected List<String> audience = Collections.emptyList();

        @Nonnull
        protected Map<String, Object> customClaims = new HashMap();

        /* JADX INFO: Access modifiers changed from: protected */
        @Nonnull
        public JWTClaimsSet buildJWTClaimsSet(@NotEmpty @Nonnull String str) {
            if (str == null || this.jwtid == null || this.rpId == null || this.iss == null || this.iat == null || this.exp == null || this.authTime == null || this.reqScope == null || this.sub == null) {
                throw new RuntimeException("Invalid parameters, programming error");
            }
            JWTClaimsSet.Builder claim = new JWTClaimsSet.Builder().claim(TokenClaimsSet.KEY_TYPE, str).jwtID(this.jwtid).claim(TokenClaimsSet.KEY_CLIENTID, this.rpId.getValue()).issuer(this.iss).subject(this.sub).claim(TokenClaimsSet.KEY_USER_PRINCIPAL, this.principal).claim(TokenClaimsSet.KEY_ACR, this.acr == null ? null : this.acr.getValue()).issueTime(Date.from(this.iat)).expirationTime(Date.from(this.exp)).notBeforeTime(this.nbt != null ? Date.from(this.nbt) : null).audience(this.audience).claim(TokenClaimsSet.KEY_NONCE, this.nonce == null ? null : this.nonce.getValue()).claim(TokenClaimsSet.KEY_AUTH_TIME, Date.from(this.authTime)).claim(TokenClaimsSet.KEY_REDIRECT_URI, this.redirect == null ? null : this.redirect.toString()).claim("scope", this.reqScope.toString()).claim(TokenClaimsSet.KEY_CLAIMS, this.reqClaims == null ? null : this.reqClaims.toJSONObject()).claim(TokenClaimsSet.KEY_DELIVERY_CLAIMS, this.dlClaims == null ? null : this.dlClaims.toJSONObject()).claim(TokenClaimsSet.KEY_DELIVERY_CLAIMS_IDTOKEN, this.dlClaimsID == null ? null : this.dlClaimsID.toJSONObject()).claim(TokenClaimsSet.KEY_DELIVERY_CLAIMS_USERINFO, this.dlClaimsUI == null ? null : this.dlClaimsUI.toJSONObject()).claim(TokenClaimsSet.KEY_CONSENTED_CLAIMS, this.consentedClaims).claim(TokenClaimsSet.KEY_CODE_CHALLENGE, this.codeChallenge).claim(TokenClaimsSet.KEY_CONSENT_ENABLED, this.consentEnabled).claim(TokenClaimsSet.KEY_ROOT_JTI, this.rootTokenId);
            this.customClaims.forEach((str2, obj) -> {
                if (str2 != null) {
                    claim.claim(str2, obj);
                }
            });
            return claim.build();
        }

        public Builder<T> setJWTID(@Nonnull IdentifierGenerationStrategy identifierGenerationStrategy) {
            this.jwtid = ((IdentifierGenerationStrategy) Constraint.isNotNull(identifierGenerationStrategy, "IdentifierGenerationStrategy cannot be null")).generateIdentifier();
            return this;
        }

        public Builder<T> setJWTID(@NotEmpty @Nonnull String str) {
            this.jwtid = Constraint.isNotEmpty(str, "JWT ID cannot be null");
            return this;
        }

        public Builder<T> setClientID(@Nonnull ClientID clientID) {
            this.rpId = clientID;
            return this;
        }

        public Builder<T> setIssuer(@Nonnull String str) {
            this.iss = Constraint.isNotEmpty(str, "Issuer cannot be null or empty");
            return this;
        }

        public Builder<T> setPrincipal(@Nonnull String str) {
            this.principal = Constraint.isNotEmpty(str, "Principal name cannot be null or empty");
            return this;
        }

        public Builder<T> setSubject(@Nonnull String str) {
            this.sub = Constraint.isNotEmpty(str, "Subject name cannot be null or empty");
            return this;
        }

        public Builder<T> setIssuedAt(@Nonnull Instant instant) {
            this.iat = (Instant) Constraint.isNotNull(instant, "Issue time cannot be null");
            return this;
        }

        public Builder<T> setExpiresAt(@Nonnull Instant instant) {
            this.exp = (Instant) Constraint.isNotNull(instant, "Expiration time cannot be null");
            return this;
        }

        public Builder<T> setNotBefore(@Nonnull Instant instant) {
            this.nbt = instant;
            return this;
        }

        public Builder<T> setRedirectURI(@Nonnull URI uri) {
            this.redirect = (URI) Constraint.isNotNull(uri, "Redirect URI cannot be null");
            return this;
        }

        public Builder<T> setScope(@Nonnull Scope scope) {
            this.reqScope = (Scope) Constraint.isNotNull(scope, "Scope cannot be null");
            return this;
        }

        public Builder<T> setAudience(@NonnullElements @Nullable Collection<String> collection) {
            if (collection != null) {
                this.audience = List.copyOf(collection);
            } else {
                this.audience = Collections.emptyList();
            }
            return this;
        }

        public Builder<T> setAuthenticationTime(@Nonnull Instant instant) {
            this.authTime = (Instant) Constraint.isNotNull(instant, "Authentication time cannot be null");
            return this;
        }

        public Builder<T> setACR(@Nullable ACR acr) {
            this.acr = acr;
            return this;
        }

        public Builder<T> setNonce(@Nullable Nonce nonce) {
            this.nonce = nonce;
            return this;
        }

        @Deprecated(since = "3.1.0", forRemoval = true)
        public Builder<T> setClaims(@Nullable OIDCClaimsRequest oIDCClaimsRequest) {
            this.reqClaims = oIDCClaimsRequest;
            return this;
        }

        public Builder<T> setClaimsRequest(@Nullable OIDCClaimsRequest oIDCClaimsRequest) {
            this.reqClaims = oIDCClaimsRequest;
            return this;
        }

        public Builder<T> setDlClaims(@Nullable ClaimsSet claimsSet) {
            this.dlClaims = claimsSet;
            return this;
        }

        public Builder<T> setDlClaimsID(@Nullable ClaimsSet claimsSet) {
            this.dlClaimsID = claimsSet;
            return this;
        }

        public Builder<T> setDlClaimsUI(@Nullable ClaimsSet claimsSet) {
            this.dlClaimsUI = claimsSet;
            return this;
        }

        public Builder<T> setConsentedClaims(@Nullable List<Object> list) {
            this.consentedClaims = list;
            return this;
        }

        public Builder<T> setConsentEnabled(@Nullable Boolean bool) {
            this.consentEnabled = bool;
            return this;
        }

        public Builder<T> setCodeChallenge(@Nullable String str) {
            this.codeChallenge = str;
            return this;
        }

        public Builder<T> addCustomClaim(@NotEmpty @Nonnull String str, @Nullable Object obj) {
            this.customClaims.put(str, obj);
            return this;
        }

        public Builder<T> setCustomClaims(@Nonnull JSONObject jSONObject) {
            jSONObject.forEach((str, obj) -> {
                if (str != null) {
                    this.customClaims.put(str, obj);
                }
            });
            return this;
        }

        public Builder<T> setRootTokenIdentifier(@Nullable String str) {
            this.rootTokenId = str;
            return this;
        }

        public abstract T build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TokenClaimsSet() {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TokenClaimsSet(@Nonnull JWTClaimsSet jWTClaimsSet) {
        setClaimsSet((JWTClaimsSet) Constraint.isNotNull(jWTClaimsSet, "JWTClaimsSet cannot be null"));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void verifyParsedClaims(@NotEmpty @Nonnull String str, @Nonnull JWTClaimsSet jWTClaimsSet) throws ParseException {
        if (jWTClaimsSet == null) {
            throw new ParseException("JWT claims set is unset", 0);
        }
        if (!str.equals(jWTClaimsSet.getClaims().get(KEY_TYPE))) {
            throw new ParseException("claim type value not matching", 0);
        }
        if (jWTClaimsSet.getStringClaim(KEY_ISSUER) == null) {
            throw new ParseException("claim iss must exist and not be null", 0);
        }
        if (jWTClaimsSet.getStringClaim(KEY_SUBJECT) == null) {
            throw new ParseException("claim sub must exist and not be null", 0);
        }
        if (jWTClaimsSet.getStringClaim(KEY_CLIENTID) == null && jWTClaimsSet.getStringClaim(KEY_LEGACY_CLIENTID) == null) {
            throw new ParseException("claim client_id (or clid) must exist and not be null", 0);
        }
        if (jWTClaimsSet.getDateClaim(KEY_EXPIRATION_TIME) == null) {
            throw new ParseException("claim exp must exist and not be null", 0);
        }
        if (jWTClaimsSet.getDateClaim(KEY_ISSUED_AT) == null) {
            throw new ParseException("claim iat must exist and not be null", 0);
        }
        if (jWTClaimsSet.getStringClaim(KEY_AC_ID) == null) {
            throw new ParseException("claim jti must exist and not be null", 0);
        }
        if (jWTClaimsSet.getDateClaim(KEY_AUTH_TIME) == null) {
            throw new ParseException("claim auth_time must exist and not be null", 0);
        }
        if (jWTClaimsSet.getStringClaim("scope") == null) {
            throw new ParseException("claim scope must exist and not be null", 0);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_ACR)) {
            jWTClaimsSet.getStringClaim(KEY_ACR);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_CONSENTED_CLAIMS) && !(jWTClaimsSet.getClaim(KEY_CONSENTED_CLAIMS) instanceof List)) {
            throw new ParseException("consented claims is of wrong type", 0);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_CONSENT_ENABLED)) {
            jWTClaimsSet.getBooleanClaim(KEY_CONSENT_ENABLED);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_CLAIMS)) {
            jWTClaimsSet.getJSONObjectClaim(KEY_CLAIMS);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_DELIVERY_CLAIMS)) {
            jWTClaimsSet.getJSONObjectClaim(KEY_DELIVERY_CLAIMS);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_DELIVERY_CLAIMS_IDTOKEN)) {
            jWTClaimsSet.getJSONObjectClaim(KEY_DELIVERY_CLAIMS_IDTOKEN);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_DELIVERY_CLAIMS_USERINFO)) {
            jWTClaimsSet.getJSONObjectClaim(KEY_DELIVERY_CLAIMS_USERINFO);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_NONCE)) {
            jWTClaimsSet.getStringClaim(KEY_NONCE);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_CODE_CHALLENGE)) {
            jWTClaimsSet.getStringClaim(KEY_CODE_CHALLENGE);
        }
    }

    @NotEmpty
    @Nonnull
    public String serialize() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        return JSONObjectUtils.toJSONObject(this.tokenClaimsSet).toJSONString();
    }

    @Nonnull
    public String serialize(@Nonnull DataSealer dataSealer) throws DataSealerException {
        return dataSealer.wrap(serialize(), Instant.ofEpochMilli(this.tokenClaimsSet.getExpirationTime().getTime()));
    }

    public void setClaimsSet(@Nonnull JWTClaimsSet jWTClaimsSet) {
        this.tokenClaimsSet = (JWTClaimsSet) Constraint.isNotNull(jWTClaimsSet, "JWTClaimsSet cannot be null");
    }

    @Nullable
    public JWTClaimsSet getClaimsSet() {
        return this.tokenClaimsSet;
    }

    @NotEmpty
    @Nonnull
    public String getIssuer() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        return this.tokenClaimsSet.getIssuer();
    }

    @Nonnull
    public Instant getIssuedAt() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        return this.tokenClaimsSet.getIssueTime().toInstant();
    }

    @Nonnull
    public Instant getExp() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        return this.tokenClaimsSet.getExpirationTime().toInstant();
    }

    @Nullable
    public Instant getNotBefore() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        Date notBeforeTime = this.tokenClaimsSet.getNotBeforeTime();
        if (notBeforeTime != null) {
            return notBeforeTime.toInstant();
        }
        return null;
    }

    @Deprecated(since = "3.1.0", forRemoval = true)
    public boolean isExpired() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        return this.tokenClaimsSet.getExpirationTime().before(new Date());
    }

    public boolean isTimeValid() {
        Instant now = Instant.now();
        if (!getExp().isAfter(now)) {
            return false;
        }
        Instant notBefore = getNotBefore();
        return notBefore == null || now == notBefore || now.isAfter(notBefore);
    }

    @Nullable
    public URI getRedirectURI() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        try {
            return URI.create(this.tokenClaimsSet.getStringClaim(KEY_REDIRECT_URI));
        } catch (IllegalArgumentException | ParseException e) {
            this.log.error("error parsing redirect uri from token", e.getMessage());
            return null;
        }
    }

    @Nullable
    public String getACR() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        return (String) this.tokenClaimsSet.getClaim(KEY_ACR);
    }

    @Nullable
    public String getType() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        return (String) this.tokenClaimsSet.getClaim(KEY_TYPE);
    }

    @Nullable
    public String getPrincipal() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        return (String) this.tokenClaimsSet.getClaim(KEY_USER_PRINCIPAL);
    }

    @Nullable
    public String getSubject() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        return (String) this.tokenClaimsSet.getClaim(KEY_SUBJECT);
    }

    @Nullable
    public Instant getAuthenticationTime() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        try {
            return this.tokenClaimsSet.getDateClaim(KEY_AUTH_TIME).toInstant();
        } catch (ParseException e) {
            this.log.error("Error parsing auth time {}", this.tokenClaimsSet.getClaim(KEY_AUTH_TIME));
            return null;
        }
    }

    @Nullable
    public Nonce getNonce() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        if (this.tokenClaimsSet.getClaim(KEY_NONCE) == null) {
            return null;
        }
        return new Nonce((String) this.tokenClaimsSet.getClaim(KEY_NONCE));
    }

    @Nullable
    public OIDCClaimsRequest getClaimsRequest() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        if (this.tokenClaimsSet.getClaim(KEY_CLAIMS) == null) {
            return null;
        }
        try {
            return OIDCClaimsRequest.parse(new JSONObject(this.tokenClaimsSet.getJSONObjectClaim(KEY_CLAIMS)));
        } catch (ParseException | com.nimbusds.oauth2.sdk.ParseException e) {
            this.log.error("Error parsing claims request {}", this.tokenClaimsSet.getClaim(KEY_CLAIMS));
            return null;
        }
    }

    @Nullable
    public ClaimsSet getDeliveryClaims() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        ClaimsSet claimsSet = new ClaimsSet();
        try {
            Map jSONObjectClaim = this.tokenClaimsSet.getJSONObjectClaim(KEY_DELIVERY_CLAIMS);
            if (jSONObjectClaim == null) {
                return null;
            }
            claimsSet.putAll(jSONObjectClaim);
            return claimsSet;
        } catch (ParseException e) {
            this.log.error("Error parsing delivery claims {}", this.tokenClaimsSet.getClaim(KEY_DELIVERY_CLAIMS));
            return null;
        }
    }

    @Nullable
    public ClaimsSet getIDTokenDeliveryClaims() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        ClaimsSet claimsSet = new ClaimsSet();
        try {
            Map jSONObjectClaim = this.tokenClaimsSet.getJSONObjectClaim(KEY_DELIVERY_CLAIMS_IDTOKEN);
            if (jSONObjectClaim == null) {
                return null;
            }
            claimsSet.putAll(jSONObjectClaim);
            return claimsSet;
        } catch (ParseException e) {
            this.log.error("Error parsing id token delivery claims {}", this.tokenClaimsSet.getClaim(KEY_DELIVERY_CLAIMS_IDTOKEN));
            return null;
        }
    }

    @Nullable
    public ClaimsSet getUserinfoDeliveryClaims() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        ClaimsSet claimsSet = new ClaimsSet();
        try {
            Map jSONObjectClaim = this.tokenClaimsSet.getJSONObjectClaim(KEY_DELIVERY_CLAIMS_USERINFO);
            if (jSONObjectClaim == null) {
                return null;
            }
            claimsSet.putAll(jSONObjectClaim);
            return claimsSet;
        } catch (ParseException e) {
            this.log.error("Error parsing id token delivery claims {}", this.tokenClaimsSet.getClaim(KEY_DELIVERY_CLAIMS_USERINFO));
            return null;
        }
    }

    @NonnullElements
    @Nullable
    public List<Object> getConsentedClaims() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        return (List) this.tokenClaimsSet.getClaim(KEY_CONSENTED_CLAIMS);
    }

    public boolean isConsentEnabled() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        if (this.tokenClaimsSet.getClaim(KEY_CONSENT_ENABLED) == null) {
            return this.tokenClaimsSet.getClaim(KEY_CONSENTED_CLAIMS) != null;
        }
        try {
            return this.tokenClaimsSet.getBooleanClaim(KEY_CONSENT_ENABLED).booleanValue();
        } catch (ParseException e) {
            this.log.error("Error parsing scope in request {}", this.tokenClaimsSet.getClaim(KEY_CONSENT_ENABLED));
            return false;
        }
    }

    @Nullable
    public Scope getScope() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        try {
            return Scope.parse(this.tokenClaimsSet.getStringClaim("scope"));
        } catch (ParseException e) {
            this.log.error("Error parsing scope in request {}", this.tokenClaimsSet.getClaim("scope"));
            return null;
        }
    }

    @NonnullElements
    @Nonnull
    @NotLive
    @Unmodifiable
    public List<String> getAudience() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        return this.tokenClaimsSet.getAudience();
    }

    @Nullable
    public String getCodeChallenge() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        if (this.tokenClaimsSet.getClaim(KEY_CODE_CHALLENGE) == null) {
            return null;
        }
        return (String) this.tokenClaimsSet.getClaim(KEY_CODE_CHALLENGE);
    }

    @Nullable
    public String getID() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        return this.tokenClaimsSet.getJWTID();
    }

    @Nullable
    public ClientID getClientID() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        Object claim = this.tokenClaimsSet.getClaim(KEY_CLIENTID);
        if (claim == null) {
            claim = this.tokenClaimsSet.getClaim(KEY_LEGACY_CLIENTID);
        }
        if (claim instanceof String) {
            return new ClientID((String) claim);
        }
        return null;
    }

    @Nullable
    public String getRootTokenIdentifier() {
        Constraint.isNotNull(this.tokenClaimsSet, "JWTClaimsSet cannot be null");
        if (this.tokenClaimsSet.getClaim(KEY_ROOT_JTI) == null) {
            return null;
        }
        return (String) this.tokenClaimsSet.getClaim(KEY_ROOT_JTI);
    }
}
