Can I add the user's IP to the JWT token?
-
We have a requirement to validate on our API that the JWT token comes from the IP that it was issued to, otherwise reject it. Is this possible to do? How do I access the user's current IP in a JWT populate lambda?
Thanks
-
@stephan What version of FusionAuth are you using? If you are using essentials or above, you may be able to call the search login records API in the JWT Populate lambda and get the most recent login for the user and get their ip that way. https://fusionauth.io/docs/v1/tech/apis/login#search-login-records
-
@mark-robustelli We are on "Starter" unfortunately. There no other way of doing it?
-
@stephan I have an idea, but not 100% sure it would work. It still involves using a lambda but you would not need to use the HTTP Connect function of the lambda to call the API so I think it will still work in that respect. Maybe this will help you come up with an even better idea. Here is the gist.
-
User logs in and is Authenticated
-
On your application server, use the FusionAuth APIs to push the user IP address to the user.data in FusionAuth
-
Create a Populate JWT lambda that pulls in the user data, specifically the ip address
-
refresh the token
-
once the token is refreshed test for the IP address
The part I am not 100% sure on is if the refresh token will add the new Data. I think it will, but you will have to test it out.
Also, I think I may have read your initial question wrong, I am not super clear on the "JWT token comes from the IP that it was issued to". Do you mean you need the users IP or the IP of the machine that issues the JWT (FusionAuth server)? My assumption was the users IP.
If it is the FusionAuth server, you could do something like create a little service that pings the FusionAuth server address and updates all the users user.data with the address and then create the JWT Populate lambda to pull that info.
Also, if you need the address of the FusionAuth server and it does not change, you could just hard code that into the JWT Populate lambda. Of course, if the IP address every changes, your users will see the wrong address until you update.
In any case here are some links on how to populate user data in with the JWT Populate lambda.
https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate
https://fusionauth.io/blog/sharing-custom-oauth-claims-with-a-asp-netcore-app
I don't think any of these are great solutions, but may provide a workaround for what you need.
Please let me know if this helps.
-