add ValidateRequestID hook to allow you to override the default request ID validation. (crewjam#599)

crewjam · web-flow · commit abf97a1129c5 · 2025-04-12T10:07:15.000-04:00
Inspired by crewjam#581, but modified to be consistent with other hooks
diff --git a/service_provider.go b/service_provider.go
@@ -141,6 +141,10 @@ type ServiceProvider struct {
 	// ValidateAudienceRestriction allows you to override the default audience validation
 	// for an assertion. If nil, the default audience validation is used.
 	ValidateAudienceRestriction func(assertion *Assertion) error
+
+	// ValidateRequestID allows you to override the default request ID validation.
+	// If nil, the default request ID validation is used.
+	ValidateRequestID func(response Response, possibleRequestIDs []string) error
 }
 
 // MaxIssueDelay is the longest allowed time between when a SAML assertion is
@@ -972,18 +976,8 @@ func (sp *ServiceProvider) parseResponse(responseEl *etree.Element, possibleRequ
 			}
 		}
 
-		requestIDvalid := false
-		if sp.AllowIDPInitiated {
-			requestIDvalid = true
-		} else {
-			for _, possibleRequestID := range possibleRequestIDs {
-				if response.InResponseTo == possibleRequestID {
-					requestIDvalid = true
-				}
-			}
-		}
-		if !requestIDvalid {
-			return nil, fmt.Errorf("`InResponseTo` does not match any of the possible request IDs (expected %v)", possibleRequestIDs)
+		if err := sp.validateRequestID(response, possibleRequestIDs); err != nil {
+			return nil, err
 		}
 
 		if response.IssueInstant.Add(MaxIssueDelay).Before(now) {
@@ -1059,6 +1053,27 @@ func (sp *ServiceProvider) parseResponse(responseEl *etree.Element, possibleRequ
 	return &assertions[0], nil
 }
 
+func (sp *ServiceProvider) validateRequestID(response Response, possibleRequestIDs []string) error {
+	if sp.ValidateRequestID != nil {
+		return sp.ValidateRequestID(response, possibleRequestIDs)
+	}
+
+	requestIDvalid := false
+	if sp.AllowIDPInitiated {
+		requestIDvalid = true
+	} else {
+		for _, possibleRequestID := range possibleRequestIDs {
+			if response.InResponseTo == possibleRequestID {
+				requestIDvalid = true
+			}
+		}
+	}
+	if !requestIDvalid {
+		return fmt.Errorf("`InResponseTo` does not match any of the possible request IDs (expected %v)", possibleRequestIDs)
+	}
+	return nil
+}
+
 func (sp *ServiceProvider) parseEncryptedAssertion(encryptedAssertionEl *etree.Element, possibleRequestIDs []string, now time.Time, signatureRequirement signatureRequirement) (*Assertion, error) {
 	assertionEl, err := sp.decryptElement(encryptedAssertionEl)
 	if err != nil {
