2

I'm developing a .Net Core Web API using JWT authentication (like here).

I added a new Claim to store the ip adrress of the request, and then, I want to check it on each consecutive request to validate that the ip address source of the request is the same ip that originally requested the token.

To do that i made a Custom Policy-Based Authentication (like here), and i want to get the ip of each request on the AuthorizationHandler of the policy, but i can't get it (this didn't work on AuthorizationHandler).

Maybe that's not the way to do that I want, can anyone help me?

Thank you!

Community
  • 1
  • 1
Johna
  • 2,623
  • 3
  • 21
  • 36
  • Why don't you trust the JWT and need this additional authentication within your service? – thoean Dec 23 '16 at 16:27
  • Because if someone steals the token, i do not want that can use from another ip. Maybe JWT have something to mitigate this and I didn't know. Thanks @thoean – Johna Dec 23 '16 at 17:08
  • It sounds like a too simplistic approach to a highly complex problem. I assume you encrypt everything through HTTPS as a baseline, and follow other practices to prevent attacks like XSS etc. This is an interesting article to get started: https://auth0.com/forum/t/stealing-jwt-from-authenticated-user/352/12 – thoean Dec 23 '16 at 20:22
  • Yes, that's right. I'll read that link. Thanks. – Johna Dec 26 '16 at 13:56
  • Even I am thinking of IP verification. Reason being I am exposing my API to limited source and they should not use it outside the allowed premises. I don't know if it is a good idea but would work for at lease few attackers. – Pratap Singh Mehra Nov 14 '18 at 08:05
  • @VladimirDespotovic, there's nothing wrong, but it's increaing your operational overhead, for example, to manage a client's IP. Also, why should a service know the client's IP address? – thoean Jun 24 '19 at 18:20

1 Answers1

2

In the end what I did was this to get the IP.

Then I add an ActionFilterAttribute overrideing OnActionExecuting

In that filter I get the original IP from the Claims and compare it with the request IP (context.HttpContext.Connection.RemoteIpAddress).

Community
  • 1
  • 1
Johna
  • 2,623
  • 3
  • 21
  • 36