package net.shibboleth.idp.plugin.authn.oidc.rp.context.navigate;

import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.ThreadSafe;
import net.shibboleth.idp.plugin.authn.oidc.rp.context.AccessTokenResponseContext;
import net.shibboleth.shared.annotation.ParameterName;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

@ThreadSafe
/* loaded from: input_file:net/shibboleth/idp/plugin/authn/oidc/rp/context/navigate/EncryptedIDTokenLookupStrategy.class */
public class EncryptedIDTokenLookupStrategy extends AbstractTokenResponseLookupStrategy implements Function<ProfileRequestContext, JWT> {

    @Nonnull
    private final Logger log;

    public EncryptedIDTokenLookupStrategy() {
        this.log = LoggerFactory.getLogger(EncryptedIDTokenLookupStrategy.class);
    }

    public EncryptedIDTokenLookupStrategy(@ParameterName(name = "accessTokenContextLookupStrategy") @Nonnull Function<ProfileRequestContext, AccessTokenResponseContext> function) {
        super(function);
        this.log = LoggerFactory.getLogger(EncryptedIDTokenLookupStrategy.class);
    }

    @Override // java.util.function.Function
    @Nullable
    public JWT apply(@Nullable ProfileRequestContext profileRequestContext) {
        AccessTokenResponseContext apply = getTokenResponseContextLookupStrategy().apply(profileRequestContext);
        OIDCTokenResponse tokenResponse = apply != null ? apply.getTokenResponse() : null;
        if (tokenResponse == null) {
            return null;
        }
        JWT iDToken = tokenResponse.getOIDCTokens().getIDToken();
        if (iDToken instanceof EncryptedJWT) {
            this.log.trace("EncryptedIDToken Lookup: ID Token is encrypted using algorithm '{}'", iDToken.getHeader().getAlgorithm());
            return iDToken;
        }
        if (iDToken instanceof SignedJWT) {
            this.log.trace("EncryptedIDToken Lookup: ID Token is signed and not encrypted, nothing to return");
            return null;
        }
        this.log.trace("EncryptedIDToken Lookup: ID Token is neither signed nor encrypted, nothing to return");
        return null;
    }
}
