package net.shibboleth.oidc.security.jwt.claims.impl;

import com.nimbusds.jwt.JWTClaimsSet;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.jwt.claims.AbstractClaimsValidator;
import net.shibboleth.oidc.jwt.claims.JWTValidationException;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.ThreadSafeAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.opensaml.profile.context.ProfileRequestContext;

@ThreadSafeAfterInit
/* loaded from: input_file:net/shibboleth/oidc/security/jwt/claims/impl/ProhibitedClaimsValidator.class */
public class ProhibitedClaimsValidator extends AbstractClaimsValidator {

    @NonnullElements
    @Nonnull
    private Set<String> prohibitedClaims = Collections.emptySet();

    public void setProhibitedClaims(@Nullable Set<String> set) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        if (set != null) {
            this.prohibitedClaims = Set.copyOf(StringSupport.normalizeStringCollection(set));
        } else {
            this.prohibitedClaims = Collections.emptySet();
        }
    }

    public void doValidate(@Nonnull JWTClaimsSet jWTClaimsSet, @Nonnull ProfileRequestContext profileRequestContext) throws JWTValidationException {
        HashSet hashSet = new HashSet();
        for (String str : this.prohibitedClaims) {
            if (jWTClaimsSet.getClaims().containsKey(str)) {
                hashSet.add(str);
            }
            if (!hashSet.isEmpty()) {
                throw new JWTValidationException("JWT has prohibited claims: " + hashSet);
            }
        }
    }
}
