package net.shibboleth.oidc.security.jwt.claims.impl;

import com.nimbusds.jwt.JWTClaimsSet;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Date;
import javax.annotation.Nonnull;
import net.shibboleth.oidc.jwt.claims.AbstractClaimsValidator;
import net.shibboleth.oidc.jwt.claims.JWTValidationException;
import net.shibboleth.utilities.java.support.annotation.constraint.ThreadSafeAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.profile.context.ProfileRequestContext;

@ThreadSafeAfterInit
/* loaded from: input_file:net/shibboleth/oidc/security/jwt/claims/impl/ExpiryClaimsValidator.class */
public class ExpiryClaimsValidator extends AbstractClaimsValidator {

    @Nonnull
    private Duration clockSkew = Duration.ofSeconds(60);

    public void setClockSkew(@Nonnull Duration duration) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.clockSkew = (Duration) Constraint.isNotNull(duration, "Clock skew cannot be null");
    }

    public void doValidate(@Nonnull JWTClaimsSet jWTClaimsSet, @Nonnull ProfileRequestContext profileRequestContext) throws JWTValidationException {
        Instant now = Instant.now();
        Date expirationTime = jWTClaimsSet.getExpirationTime();
        if (expirationTime != null && now.isAfter(expirationTime.toInstant().plus((TemporalAmount) this.clockSkew))) {
            throw new JWTValidationException("Expired JWT");
        }
    }
}
