package org.springframework.security.oauth2.server.resource.web.access;

import java.util.LinkedHashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.keycloak.util.TokenUtil;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.server.resource.authentication.AbstractOAuth2TokenAuthenticationToken;
import org.springframework.security.web.access.AccessDeniedHandler;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-resource-server-5.4.5.jar:org/springframework/security/oauth2/server/resource/web/access/BearerTokenAccessDeniedHandler.class */
public final class BearerTokenAccessDeniedHandler implements AccessDeniedHandler {
    private String realmName;

    @Override // org.springframework.security.web.access.AccessDeniedHandler
    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException accessDeniedException) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        if (this.realmName != null) {
            linkedHashMap.put("realm", this.realmName);
        }
        if (httpServletRequest.getUserPrincipal() instanceof AbstractOAuth2TokenAuthenticationToken) {
            linkedHashMap.put("error", "insufficient_scope");
            linkedHashMap.put("error_description", "The request requires higher privileges than provided by the access token.");
            linkedHashMap.put(OAuth2ParameterNames.ERROR_URI, "https://tools.ietf.org/html/rfc6750#section-3.1");
        }
        httpServletResponse.addHeader("WWW-Authenticate", computeWWWAuthenticateHeaderValue(linkedHashMap));
        httpServletResponse.setStatus(HttpStatus.FORBIDDEN.value());
    }

    public void setRealmName(String str) {
        this.realmName = str;
    }

    private static String computeWWWAuthenticateHeaderValue(Map<String, String> map) {
        StringBuilder sb = new StringBuilder();
        sb.append(TokenUtil.TOKEN_TYPE_BEARER);
        if (!map.isEmpty()) {
            sb.append(StringUtils.SPACE);
            int i = 0;
            for (Map.Entry<String, String> entry : map.entrySet()) {
                sb.append(entry.getKey()).append("=\"").append(entry.getValue()).append("\"");
                if (i != map.size() - 1) {
                    sb.append(", ");
                }
                i++;
            }
        }
        return sb.toString();
    }
}
