package net.shibboleth.idp.plugin.authn.oidc.rp.impl;

import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import javax.annotation.Nonnull;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.oidc.profile.core.OIDCAuthenticationRequest;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/oidc/rp/impl/ValidateResponseState.class */
public class ValidateResponseState extends AbstractOIDCAuthenticationResponseAction {

    @Nonnull
    @NotEmpty
    private final Logger log = LoggerFactory.getLogger(ValidateResponseState.class);

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        OIDCAuthenticationRequest authenticationRequest = getAuthenticationRequest();
        if (authenticationRequest == null) {
            this.log.error("{} The authentication request does not exist, state can not be checked", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "NoCredentials");
            return;
        }
        AuthenticationSuccessResponse authenticationResponse = getAuthenticationResponse();
        if (authenticationResponse == null) {
            this.log.error("{} The authentication response does not exist, state can not be checked", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "NoCredentials");
            return;
        }
        this.log.trace("{} Proxy authentication request state '{}' was returned in the response as '{}'", new Object[]{getLogPrefix(), authenticationRequest.getState(), authenticationResponse.getState()});
        if (authenticationRequest.getState() == null || authenticationResponse.getState() == null) {
            this.log.error("{} The state parameter was not present in either the request or response, state is mandatory for proxy OIDC requests", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "NoCredentials");
            return;
        }
        State state = authenticationRequest.getState();
        State state2 = authenticationResponse.getState();
        if (state != null && state2 != null && state.equals(state2)) {
            this.log.debug("{} OIDC request and response state match, continuing", getLogPrefix());
        } else {
            this.log.error("{} Request state '{}' did not match response state '{}', has it been tampered with!", new Object[]{getLogPrefix(), state, state2});
            ActionSupport.buildEvent(profileRequestContext, "NoCredentials");
        }
    }
}
