package net.shibboleth.idp.plugin.authn.oidc.rp.messaging.context.logic;

import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.profile.config.OIDCAuthenticationRelyingPartyProfileConfiguration;
import net.shibboleth.profile.context.RelyingPartyContext;
import net.shibboleth.profile.context.logic.messaging.AbstractRelyingPartyPredicate;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.ParentProfileRequestContextLookup;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/oidc/rp/messaging/context/logic/JWTBearerTokenForClientAuthenticationPredicate.class */
public class JWTBearerTokenForClientAuthenticationPredicate extends AbstractRelyingPartyPredicate {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(JWTBearerTokenForClientAuthenticationPredicate.class);

    public boolean test(@Nullable MessageContext messageContext) {
        ProfileRequestContext apply = new ParentProfileRequestContextLookup().apply(messageContext);
        RelyingPartyContext relyingPartyContext = (RelyingPartyContext) getRelyingPartyContextLookupStrategy().apply(messageContext);
        if (relyingPartyContext == null) {
            return false;
        }
        OIDCAuthenticationRelyingPartyProfileConfiguration profileConfig = relyingPartyContext.getProfileConfig();
        if (!(profileConfig instanceof OIDCAuthenticationRelyingPartyProfileConfiguration)) {
            return false;
        }
        String tokenEndpointAuthMethod = profileConfig.getTokenEndpointAuthMethod(apply);
        ClientAuthenticationMethod clientAuthenticationMethod = new ClientAuthenticationMethod(tokenEndpointAuthMethod);
        if (clientAuthenticationMethod.equals(ClientAuthenticationMethod.CLIENT_SECRET_JWT) || clientAuthenticationMethod.equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
            return true;
        }
        this.log.trace("Configured client authentication method '{}' does not require a signed JWT bearer token", tokenEndpointAuthMethod);
        return false;
    }
}
