package org.springframework.security.oauth2.server.authorization.authentication;

import java.util.Set;
import java.util.function.Consumer;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.log.LogMessage;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-authorization-server-1.4.1.jar:org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationValidator.class */
public final class OAuth2ClientCredentialsAuthenticationValidator implements Consumer<OAuth2ClientCredentialsAuthenticationContext> {
    private static final Log LOGGER = LogFactory.getLog((Class<?>) OAuth2ClientCredentialsAuthenticationValidator.class);
    public static final Consumer<OAuth2ClientCredentialsAuthenticationContext> DEFAULT_SCOPE_VALIDATOR = OAuth2ClientCredentialsAuthenticationValidator::validateScope;
    private final Consumer<OAuth2ClientCredentialsAuthenticationContext> authenticationValidator = DEFAULT_SCOPE_VALIDATOR;

    @Override // java.util.function.Consumer
    public void accept(OAuth2ClientCredentialsAuthenticationContext oAuth2ClientCredentialsAuthenticationContext) {
        this.authenticationValidator.accept(oAuth2ClientCredentialsAuthenticationContext);
    }

    private static void validateScope(OAuth2ClientCredentialsAuthenticationContext oAuth2ClientCredentialsAuthenticationContext) {
        OAuth2ClientCredentialsAuthenticationToken oAuth2ClientCredentialsAuthenticationToken = (OAuth2ClientCredentialsAuthenticationToken) oAuth2ClientCredentialsAuthenticationContext.getAuthentication();
        RegisteredClient registeredClient = oAuth2ClientCredentialsAuthenticationContext.getRegisteredClient();
        Set<String> scopes = oAuth2ClientCredentialsAuthenticationToken.getScopes();
        Set<String> scopes2 = registeredClient.getScopes();
        if (scopes.isEmpty() || scopes2.containsAll(scopes)) {
            return;
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug(LogMessage.format("Invalid request: requested scope is not allowed for registered client '%s'", registeredClient.getId()));
        }
        throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_SCOPE);
    }
}
