ory · deepakprabhakara · Mar 23, 2026 · Mar 22, 2026 · Mar 23, 2026
diff --git a/lib/response.ts b/lib/response.ts
@@ -30,7 +30,7 @@
 };

 class WrapError extends Error {
  inner?: any;
 }

 /**@deprecated Use parseIssuer instead */
@@ -180,7 +180,10 @@
       return;
     }
 
-    if (options.audience && !tokenHandler.validateAudience(assertion, options.audience)) {
+    if (
+      options.audience &&
+      !tokenHandler.validateAudience(assertion, options.audience, options.strictAudienceValidation)
+    ) {
       cb(new Error('Invalid audience.'));
       return;
     }
@@ -328,7 +331,7 @@
  audience: string;
  issuer: string;
  acsUrl: string;
  claims: Record<string, any>;
  requestId: string;
  privateKey: string;
  publicKey: string;

diff --git a/lib/saml20.ts b/lib/saml20.ts
@@ -104,19 +104,27 @@ const parse = (assertion) => {
   };
 };
 
-const validateAudience = (assertion, realm) => {
+const audienceCheck = (audience, expectedAudience, strictValidation) => {
+  if (strictValidation) {
+    return audience === expectedAudience;
+  }
+
+  return audience.startsWith(expectedAudience);
+};
+
+const validateAudience = (assertion, realm, strictValidation = false) => {
   const audience = getProp(assertion, 'Conditions.AudienceRestriction.Audience');
   if (audience) {
     try {
       if (Array.isArray(realm)) {
         for (let i = 0; i < realm.length; i++) {
-          if (audience.startsWith(realm[i])) {
+          if (audienceCheck(audience, realm[i], strictValidation)) {
             return true;
           }
         }
         return false;
       }
-      return audience.startsWith(realm);
+      return audienceCheck(audience, realm, strictValidation);
       // eslint-disable-next-line @typescript-eslint/no-unused-vars
     } catch (err) {
       return false;

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -53,7 +53,7 @@
     "@types/xml2js": "0.4.14",
     "@typescript-eslint/eslint-plugin": "8.57.1",
     "@typescript-eslint/parser": "8.57.1",
-    "eslint": "10.0.3",
+    "eslint": "10.1.0",
     "eslint-config-prettier": "10.1.8",
     "globals": "17.4.0",
     "mocha": "11.7.5",
@@ -64,5 +64,10 @@
     "tsconfig-paths": "4.2.0",
     "typescript": "5.9.3"
   },
+  "overrides": {
+    "release-it": {
+      "undici": ">=6.24.0"
+    }
+  },
   "readmeFilename": "README.md"
 }
diff --git a/test/lib/response.spec.ts b/test/lib/response.spec.ts
@@ -18,6 +18,7 @@ const certificate =
 const inResponseTo = 'ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685';
 const issuerName = 'https://identity.kidozen.com/';
 const audience = 'http://demoscope.com';
+const suffixAudience = 'http://demoscope';
 const validToken = fs.readFileSync('./test/assets/saml20.validToken.xml').toString();
 const invalidToken = fs.readFileSync('./test/assets/saml20.invalidToken.xml').toString();
 const invalidWrappedToken = fs.readFileSync('./test/assets/saml20.invalidWrappedToken.xml').toString();
@@ -172,6 +173,29 @@ describe('response.ts', function () {
     assert.strictEqual(response.audience, audience);
   });
 
+  it('Should validate saml 2.0 token and check audience with suffix', async function () {
+    const response = await validate(validToken, {
+      publicKey: certificate,
+      audience: suffixAudience,
+      bypassExpiration: true,
+    });
+    assert.strictEqual(response.audience, audience);
+  });
+
+  it('Should validate saml 2.0 token and check strict audience with suffix', async function () {
+    try {
+      await validate(validToken, {
+        publicKey: certificate,
+        audience: suffixAudience,
+        bypassExpiration: true,
+        strictAudienceValidation: true,
+      });
+    } catch (error) {
+      const result = (error as Error).message;
+      assert.strictEqual(result, 'Invalid audience.');
+    }
+  });
+
   it('Should fail with invalid audience', async function () {
     try {
       await validate(validToken, {

diff --git a/test/lib/saml20.spec.ts b/test/lib/saml20.spec.ts
@@ -88,6 +88,15 @@ describe('saml20.ts', function () {
     }
   });
 
+  it('validateAudience with Suffix not ok with strict check', async function () {
+    try {
+      const value = saml20.validateAudience(assertion1, 'https://saml.boxyhq.com', true);
+      assert.strictEqual(value, false);
+    } catch (error) {
+      assert(error);
+    }
+  });
+
   it('validateAudience with Suffix Array ok', async function () {
     try {
       const value = saml20.validateAudience(assertion1, [...validateOptsArray, 'https://saml.boxyhq.com']);
@@ -97,6 +106,19 @@ describe('saml20.ts', function () {
     }
   });
 
+  it('validateAudience with Suffix Array not ok with strict check', async function () {
+    try {
+      const value = saml20.validateAudience(
+        assertion1,
+        [...validateOptsArray, 'https://saml.boxyhq.com'],
+        true
+      );
+      assert.strictEqual(value, false);
+    } catch (error) {
+      assert(error);
+    }
+  });
+
   it('validateAudience with Suffix Array not ok', async function () {
     try {
       const value = saml20.validateAudience(assertion1, validateOptsArray);