package com.okta.jwt.impl.jjwt;

import com.okta.jwt.IdTokenVerifier;
import com.okta.jwt.Jwt;
import com.okta.jwt.JwtVerificationException;
import com.okta.jwt.impl.jjwt.ClaimsValidator;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.IncorrectClaimException;
import io.jsonwebtoken.SigningKeyResolver;
import io.jsonwebtoken.lang.Objects;
import java.time.Duration;

/* loaded from: input_file:com/okta/jwt/impl/jjwt/JjwtIdTokenVerifier.class */
public class JjwtIdTokenVerifier extends TokenVerifierSupport implements IdTokenVerifier {
    private final String clientId;

    public JjwtIdTokenVerifier(String str, String str2, Duration duration, SigningKeyResolver signingKeyResolver) {
        super(str, duration, signingKeyResolver);
        this.clientId = str2;
    }

    @Override // com.okta.jwt.IdTokenVerifier
    public Jwt decode(String str, String str2) throws JwtVerificationException {
        return decode(str, parser(), ClaimsValidator.compositeClaimsValidator(new ClaimsValidator.ContainsAudienceClaimsValidator(this.clientId), jws -> {
            if (!Objects.nullSafeEquals((String) ((Claims) jws.getBody()).get("nonce", String.class), str2)) {
                throw new IncorrectClaimException(jws.getHeader(), (Claims) jws.getBody(), "Claim `nonce` does not match expected value. Note: a `null` nonce is only valid when both the expected and actual values are `null`.");
            }
        }));
    }
}
