[ENHANCE] Improve error message for audience mismatch validation #256
Description
Improve error message for audience mismatch validation
When debugging audience mismatch errors, logging the expected and actual audience values would help improve the developer experience and reduce debug time when things are set up incorrectly.
Current error handling
When a SAML assertion fails audience validation, the following error is thrown:
if (restriction.Audience[0]._ !== expectedAudience) {
return new Error("SAML assertion audience mismatch");
}This is fine, but it doesn't contain any information about what the expected and actual audience values are.
Proposed error handling
I propose we change the error message to something similar to the validation for idpIssuer:
if (restriction.Audience[0]._ !== expectedAudience) {
return new Error(
"SAML assertion audience mismatch. Expected: " +
expectedAudience +
" Received: " +
restriction.Audience[0]._
);
}Spec Implications
The Audience element is described in section 2.5.1.4 "Elements <AudienceRestriction> and <Audience>". Here is a relevant description from the spec:
<Audience>: A URI reference that identifies an intended audience. The URI reference MAY identify a document
that describes the terms and conditions of audience membership. It MAY also contain the unique
identifier URI from a SAML name identifier that describes a system entity (see Section 8.3.6).
The description indicates that this value is not a secret nor protected value, so printing the audience in an error message should not be a security issue.