package com.okta.authfoundation.client;

import com.okta.authfoundation.client.AccessTokenValidator;
import com.okta.authfoundation.jwt.Jwt;
import kotlin.Unit;
import kotlin.coroutines.Continuation;
import kotlin.jvm.internal.Intrinsics;
import kotlin.text.Charsets;
import kotlin.text.StringsKt__StringsKt;
import okio.ByteString;
import okio.Options;
import org.jetbrains.annotations.NotNull;

/* loaded from: classes.dex */
public final class DefaultAccessTokenValidator implements AccessTokenValidator {
    @Override // com.okta.authfoundation.client.AccessTokenValidator
    public Object validate(@NotNull OidcClient oidcClient, @NotNull String str, @NotNull Jwt jwt, @NotNull Continuation continuation) {
        if (!Intrinsics.areEqual(jwt.getAlgorithm(), "RS256")) {
            throw new AccessTokenValidator.Error("Unsupported algorithm");
        }
        String atHash = ((IdTokenAtHash) jwt.deserializeClaims(IdTokenAtHash.Companion.serializer())).getAtHash();
        if (atHash == null) {
            return Unit.INSTANCE;
        }
        ByteString byteString = ByteString.EMPTY;
        byte[] bytes = str.getBytes(Charsets.US_ASCII);
        Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
        ByteString digest$okio = Options.Companion.of$default(bytes).digest$okio("SHA-256");
        if (Intrinsics.areEqual(StringsKt__StringsKt.trimEnd(digest$okio.substring(digest$okio.data.length / 2).base64Url(), '='), atHash)) {
            return Unit.INSTANCE;
        }
        throw new AccessTokenValidator.Error("ID Token at_hash didn't match the access token.");
    }
}
