package com.okta.spring.boot.oauth;

import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestCustomizers;
import org.springframework.security.oauth2.client.web.server.DefaultServerOAuth2AuthorizationRequestResolver;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.server.resource.BearerTokenError;
import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint;
import org.springframework.security.oauth2.server.resource.web.server.BearerTokenServerAuthenticationEntryPoint;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.server.DelegatingServerAuthenticationEntryPoint;
import org.springframework.security.web.server.util.matcher.MediaTypeServerWebExchangeMatcher;
import org.springframework.security.web.util.matcher.MediaTypeRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.accept.ContentNegotiationStrategy;

/* loaded from: input_file:com/okta/spring/boot/oauth/Okta.class */
public final class Okta {
    private Okta() {
    }

    public static ServerHttpSecurity configureResourceServer401ResponseBody(ServerHttpSecurity serverHttpSecurity) {
        return serverHttpSecurity.exceptionHandling().authenticationEntryPoint(new DelegatingServerAuthenticationEntryPoint(new DelegatingServerAuthenticationEntryPoint.DelegateEntry[]{new DelegatingServerAuthenticationEntryPoint.DelegateEntry(new MediaTypeServerWebExchangeMatcher(new MediaType[]{MediaType.TEXT_PLAIN}), new BrowserFriendlyBearerTokenServerAuthenticationEntryPoint()), new DelegatingServerAuthenticationEntryPoint.DelegateEntry(new MediaTypeServerWebExchangeMatcher(new MediaType[]{MediaType.ALL}), new BearerTokenServerAuthenticationEntryPoint())})).and();
    }

    public static HttpSecurity configureResourceServer401ResponseBody(HttpSecurity httpSecurity) throws Exception {
        return httpSecurity.exceptionHandling().defaultAuthenticationEntryPointFor(authenticationEntryPoint(), textRequestMatcher(httpSecurity)).and();
    }

    public static ServerHttpSecurity configureOAuth2WithPkce(ServerHttpSecurity serverHttpSecurity, ReactiveClientRegistrationRepository reactiveClientRegistrationRepository) {
        DefaultServerOAuth2AuthorizationRequestResolver defaultServerOAuth2AuthorizationRequestResolver = new DefaultServerOAuth2AuthorizationRequestResolver(reactiveClientRegistrationRepository);
        defaultServerOAuth2AuthorizationRequestResolver.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce());
        serverHttpSecurity.oauth2Login().authorizationRequestResolver(defaultServerOAuth2AuthorizationRequestResolver);
        return serverHttpSecurity;
    }

    public static HttpSecurity configureOAuth2WithPkce(HttpSecurity httpSecurity, ClientRegistrationRepository clientRegistrationRepository) throws Exception {
        DefaultOAuth2AuthorizationRequestResolver defaultOAuth2AuthorizationRequestResolver = new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, "/oauth2/authorization");
        defaultOAuth2AuthorizationRequestResolver.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce());
        httpSecurity.oauth2Login().authorizationEndpoint().authorizationRequestResolver(defaultOAuth2AuthorizationRequestResolver);
        return httpSecurity;
    }

    private static RequestMatcher textRequestMatcher(HttpSecurity httpSecurity) {
        return new MediaTypeRequestMatcher((ContentNegotiationStrategy) httpSecurity.getSharedObject(ContentNegotiationStrategy.class), new MediaType[]{MediaType.TEXT_PLAIN});
    }

    private static AuthenticationEntryPoint authenticationEntryPoint() {
        BearerTokenAuthenticationEntryPoint bearerTokenAuthenticationEntryPoint = new BearerTokenAuthenticationEntryPoint();
        return (httpServletRequest, httpServletResponse, authenticationException) -> {
            httpServletResponse.setContentType(MediaType.TEXT_PLAIN.toString());
            httpServletResponse.getWriter().print(statusAsString(getStatus(authenticationException)));
            bearerTokenAuthenticationEntryPoint.commence(httpServletRequest, httpServletResponse, authenticationException);
        };
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static HttpStatus getStatus(AuthenticationException authenticationException) {
        if (authenticationException instanceof OAuth2AuthenticationException) {
            BearerTokenError error = ((OAuth2AuthenticationException) authenticationException).getError();
            if (error instanceof BearerTokenError) {
                return error.getHttpStatus();
            }
        }
        return HttpStatus.UNAUTHORIZED;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String statusAsString(HttpStatus httpStatus) {
        return httpStatus.value() + " " + httpStatus.getReasonPhrase();
    }
}
