add hook to customize audience restriction validation (crewjam#596)

crewjam · web-flow · commit e9fe44bcb8d3 · 2025-04-12T08:39:55.000-04:00
based on the concept in crewjam#495
diff --git a/service_provider.go b/service_provider.go
@@ -137,6 +137,10 @@ type ServiceProvider struct {
 	// LogoutBindings specify the bindings available for SLO endpoint. If empty,
 	// HTTP-POST binding is used.
 	LogoutBindings []string
+
+	// ValidateAudienceRestriction allows you to override the default audience validation
+	// for an assertion. If nil, the default audience validation is used.
+	ValidateAudienceRestriction func(assertion *Assertion) error
 }
 
 // MaxIssueDelay is the longest allowed time between when a SAML assertion is
@@ -1172,6 +1176,20 @@ func (sp *ServiceProvider) validateAssertion(assertion *Assertion, possibleReque
 		return fmt.Errorf("assertion Conditions is expired")
 	}
 
+	if err := sp.validateAudienceRestriction(assertion); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (sp *ServiceProvider) validateAudienceRestriction(assertion *Assertion) error {
+	if sp.ValidateAudienceRestriction != nil {
+		if err := sp.ValidateAudienceRestriction(assertion); err != nil {
+			return fmt.Errorf("audience restriction validation failed: %w", err)
+		}
+		return nil
+	}
+
 	audienceRestrictionsValid := len(assertion.Conditions.AudienceRestrictions) == 0
 	audience := firstSet(sp.EntityID, sp.MetadataURL.String())
 	for _, audienceRestriction := range assertion.Conditions.AudienceRestrictions {
