package org.apache.cxf.rs.security.oauth2.grants.code;

import javax.ws.rs.core.MultivaluedMap;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;

/* loaded from: input_file:cxf/cxf-bundle-2.7.6.jar:org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.class */
public class AuthorizationCodeGrantHandler extends AbstractGrantHandler {
    public AuthorizationCodeGrantHandler() {
        super(OAuthConstants.AUTHORIZATION_CODE_GRANT);
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.AccessTokenGrantHandler
    public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> multivaluedMap) throws OAuthServiceException {
        checkIfGrantSupported(client);
        ServerAuthorizationCodeGrant removeCodeGrant = ((AuthorizationCodeDataProvider) getDataProvider()).removeCodeGrant(multivaluedMap.getFirst("code"));
        if (removeCodeGrant == null) {
            return null;
        }
        if (OAuthUtils.isExpired(Long.valueOf(removeCodeGrant.getIssuedAt()), Long.valueOf(removeCodeGrant.getLifetime()))) {
            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
        }
        if (!removeCodeGrant.getClient().getClientId().equals(client.getClientId())) {
            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
        }
        String redirectUri = removeCodeGrant.getRedirectUri();
        String first = multivaluedMap.getFirst(OAuthConstants.REDIRECT_URI);
        if (first != null) {
            if (redirectUri == null || !first.equals(redirectUri)) {
                throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
            }
        } else if ((redirectUri == null && !isCanSupportPublicClients()) || (redirectUri != null && (client.getRedirectUris().size() != 1 || !client.getRedirectUris().contains(redirectUri)))) {
            throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
        }
        return doCreateAccessToken(client, removeCodeGrant.getSubject(), removeCodeGrant.getApprovedScopes());
    }
}
