FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Can I add the user's IP to the JWT token?

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    4
    965
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stephan
      last edited by

      We have a requirement to validate on our API that the JWT token comes from the IP that it was issued to, otherwise reject it. Is this possible to do? How do I access the user's current IP in a JWT populate lambda?

      Thanks

      mark.robustelliM 1 Reply Last reply Reply Quote 0
      • mark.robustelliM
        mark.robustelli @stephan
        last edited by mark.robustelli

        @stephan What version of FusionAuth are you using? If you are using essentials or above, you may be able to call the search login records API in the JWT Populate lambda and get the most recent login for the user and get their ip that way. https://fusionauth.io/docs/v1/tech/apis/login#search-login-records

        S 1 Reply Last reply Reply Quote 0
        • S
          stephan @mark.robustelli
          last edited by

          @mark-robustelli We are on "Starter" unfortunately. There no other way of doing it?

          mark.robustelliM 1 Reply Last reply Reply Quote 0
          • mark.robustelliM
            mark.robustelli @stephan
            last edited by mark.robustelli

            @stephan I have an idea, but not 100% sure it would work. It still involves using a lambda but you would not need to use the HTTP Connect function of the lambda to call the API so I think it will still work in that respect. Maybe this will help you come up with an even better idea. Here is the gist.

            • User logs in and is Authenticated

            • On your application server, use the FusionAuth APIs to push the user IP address to the user.data in FusionAuth

            • Create a Populate JWT lambda that pulls in the user data, specifically the ip address

            • refresh the token

            • once the token is refreshed test for the IP address

            The part I am not 100% sure on is if the refresh token will add the new Data. I think it will, but you will have to test it out.

            Also, I think I may have read your initial question wrong, I am not super clear on the "JWT token comes from the IP that it was issued to". Do you mean you need the users IP or the IP of the machine that issues the JWT (FusionAuth server)? My assumption was the users IP.

            If it is the FusionAuth server, you could do something like create a little service that pings the FusionAuth server address and updates all the users user.data with the address and then create the JWT Populate lambda to pull that info.

            Also, if you need the address of the FusionAuth server and it does not change, you could just hard code that into the JWT Populate lambda. Of course, if the IP address every changes, your users will see the wrong address until you update.

            In any case here are some links on how to populate user data in with the JWT Populate lambda.

            https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate

            https://fusionauth.io/blog/sharing-custom-oauth-claims-with-a-asp-netcore-app

            I don't think any of these are great solutions, but may provide a workaround for what you need.

            Please let me know if this helps.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post