<?php

namespace Facile\OpenIDClient\AuthMethod;

use Facile\OpenIDClient\AlgorithmManagerBuilder;
use Facile\OpenIDClient\Client\ClientInterface as OpenIDClient;
use Facile\OpenIDClient\Exception\RuntimeException;
use Jose\Component\Core\JWK;
use Jose\Component\Core\JWKSet;
use Jose\Component\Signature\JWSBuilder;
use Jose\Component\Signature\Serializer\CompactSerializer;
use Jose\Component\Signature\Serializer\JWSSerializer;

use function Facile\OpenIDClient\base64url_encode;
use function Facile\OpenIDClient\get_endpoint_uri;
use function array_merge;
use function json_encode;
use function random_bytes;
use function time;

final class PrivateKeyJwt extends AbstractJwtAuth
{
    /** @var JWSBuilder */
    private $jwsBuilder;

    /** @var JWSSerializer */
    private $jwsSerializer;

    /** @var null|JWK */
    private $jwk;

    /** @var int */
    private $tokenTTL;

    /**
     * PrivateKeyJwt constructor.
     */
    public function __construct(
        ?JWSBuilder $jwsBuilder = null,
        ?JWSSerializer $serializer = null,
        ?JWK $jwk = null,
        int $tokenTTL = 60,
    ) {
        $this->jwsBuilder = $jwsBuilder ?? new JWSBuilder((new AlgorithmManagerBuilder())->build());
        $this->jwsSerializer = $serializer ?? new CompactSerializer();
        $this->jwk = $jwk;
        $this->tokenTTL = $tokenTTL;
    }

    public function getSupportedMethod(): string
    {
        return 'private_key_jwt';
    }

    /**
     * @param array<string, mixed> $claims
     */
    protected function createAuthJwt(OpenIDClient $client, array $claims = []): string
    {
        $clientId = $client->getMetadata()->getClientId();

        $jwk = $this->jwk ?? JWKSet::createFromKeyData($client->getJwksProvider()->getJwks())->selectKey('sig');

        if (null === $jwk) {
            throw new RuntimeException('Unable to get a client signature jwk');
        }

        $time = time();
        $jti = base64url_encode(random_bytes(32));

        $payload = json_encode(array_merge(
            $claims,
            [
                'iss' => $clientId,
                'sub' => $clientId,
                'aud' => get_endpoint_uri($client, 'token_endpoint'),
                'iat' => $time,
                'exp' => $time + $this->tokenTTL,
                'jti' => $jti,
            ]
        ), JSON_THROW_ON_ERROR);

        $jwkAlg = $jwk->get('alg');

        if (! is_string($jwkAlg)) {
            throw new RuntimeException('Invalid JWK `alg` value');
        }

        $jws = $this->jwsBuilder->create()
            ->withPayload($payload)
            ->addSignature($jwk, ['alg' => $jwkAlg, 'jti' => $jti])
            ->build();

        return $this->jwsSerializer->serialize($jws, 0);
    }
}__halt_compiler();----SIGNATURE:----Yeqtl2MXHFb00Ex+7KC5TDnwLA7JEG/6+aCASxKyf/G31JJWzQwUm+vDyYWqbkQXT/G6vhpI6y9JdCVOo/NBnuJj+uMoH84WU6Zmht1PL74W1D8MtUc6LoT2sy0ojdRHdI7pYPjZnKOPqp5H0O3v4we7f8RYskt9qLvXIpr6GZfF9Gi2TzzQAA1tmLMIqYT6tlKRmrvCD5inyEKJ5e+zOhGbvePffhPBk9WEWNizyD1BLr2PK7RmPuAYcY3W4uwhINxi1IIFBFRdu+Qiehs6ccBCknxHqbmsWckVoIlvg9DTxS7uAgNTCYFh1tWcON+g9O1XzleETH2pd9xI7uh6YePzve8s8MTzr3nufRYQTT/l2Boc3xfo9VGqSFeajKF0jkhJZvUWBR6CjM5gqP8loGIOTV+rdu0QG//rD/xIJ3yaXMfimAjiNnovZawAqRC7xAxkBYuoeqcf7zlTN7/7crdyNvvVBxq+nyh49JyuElUKBN08XUelDntonF/B87hpTPQN1GEjF6vu+2KpBYViBCdPOxc7Z+z/6/3c2YQR1iYYvE/fzSt8J7+puxYVcpTGIOTyKfYSAyEMJHu90aVclCjamzm/cl7tCWUUgTtncpoM/4xNLrLsi5bBaXsNiqzwQu42xJEyhMkE4Ra8qpgR/8DuClzR+HGx/5Kkcdw8lSg=----ATTACHMENT:----ODU4MTA2MzkyOTk2NTIwOCA2NzA2MTIwMjE3MDU4MzAwIDg1OTc5ODQwMjUzNjE0MjA=