package com.okta.authfoundation.client;

import com.okta.authfoundation.client.AccessTokenValidator;
import com.okta.authfoundation.jwt.Jwt;
import kotlin.Metadata;
import kotlin.Unit;
import kotlin.coroutines.Continuation;
import kotlin.jvm.internal.Intrinsics;
import kotlin.text.Charsets;
import kotlin.text.StringsKt__StringsKt;
import okio.ByteString;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* compiled from: AccessTokenValidator.kt */
@Metadata
/* loaded from: classes3.dex */
public final class DefaultAccessTokenValidator implements AccessTokenValidator {
    @Override // com.okta.authfoundation.client.AccessTokenValidator
    @Nullable
    public Object validate(@NotNull OidcClient oidcClient, @NotNull String str, @NotNull Jwt jwt, @NotNull Continuation<? super Unit> continuation) {
        String trimEnd;
        if (!Intrinsics.areEqual(jwt.getAlgorithm(), "RS256")) {
            throw new AccessTokenValidator.Error("Unsupported algorithm");
        }
        String atHash = ((IdTokenAtHash) jwt.deserializeClaims(IdTokenAtHash.Companion.serializer())).getAtHash();
        if (atHash == null) {
            return Unit.INSTANCE;
        }
        ByteString.Companion companion = ByteString.Companion;
        byte[] bytes = str.getBytes(Charsets.US_ASCII);
        Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
        ByteString sha256 = ByteString.Companion.of$default(companion, bytes, 0, 0, 3, null).sha256();
        trimEnd = StringsKt__StringsKt.trimEnd(sha256.substring(0, sha256.size() / 2).base64Url(), '=');
        if (Intrinsics.areEqual(trimEnd, atHash)) {
            return Unit.INSTANCE;
        }
        throw new AccessTokenValidator.Error("ID Token at_hash didn't match the access token.");
    }
}
