Check IP with JWT Authorization in ASP.NET Core Web Api











up vote
1
down vote

favorite












Is it possible to check the IP adress when using System.IdentityModel.Tokens.Jwt in an ASP.NET core Web Api application?



I thought about adding a Claim containing the IP of the user that requested it and check it somehow for each request. Normally I would use OnActionExecuting in ASP.NET MVC.



Is there a Middleware/Authorization based solution?



I Create my Jwt Token Claims like this:



private IEnumerable<Claim> getStandardClaims(IdentityUser user)

{

    var claims = new List<Claim>

    {

        new Claim(ClaimTypes.Name, user.UserName),

        new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),

        new Claim(JwtRegisteredClaimNames.Sub, user.UserName),

        new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),

        new Claim("ipaddress", HttpContext.Connection.RemoteIpAddress.ToString())

    };



    return claims;

}


this is what the JWT Data look like:



{

  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "username",

  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "5a6b3eb8-ed7f-48c6-b10c-a279ffd4f7c8",

  "sub": "username",

  "jti": "44c95b53-bfba-4f33-b4c3-834127605432",

  "ipaddress": "::1",

  "exp": 1542707081,

  "iss": "https://localhost:5001/",

  "aud": "https://localhost:5001/"

}


Edit: Possible Solution for JWT Claims?
Maybe I have to read the Claims like this (Test code, no null checks ect..):



var auth = HttpContext.Request.Headers.FirstOrDefault(x => x.Key == "Authorization");

string token = auth.Value[0].Split(' ')[1];



JwtTokenService<RefreshToken, string> jwtService = new JwtTokenService<RefreshToken, string>(null);

var principal = jwtService.GetPrincipalFromExpiredToken(token, _config["Jwt:Key"]);



Claim ipClaim = principal.FindFirst(claim => claim.Type == "ipaddress");


This is the GetPrincipalFromExpiredToken Method:



public ClaimsPrincipal GetPrincipalFromExpiredToken(string token, string securityKey)

{

    var tokenValidationParameters = new TokenValidationParameters

    {

        ValidateAudience = false, 

        ValidateIssuer = false,

        ValidateIssuerSigningKey = true,

        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(securityKey)),

        ValidateLifetime = false 

    };



    var tokenHandler = new JwtSecurityTokenHandler();

    SecurityToken securityToken;

    var principal = tokenHandler.ValidateToken(token, tokenValidationParameters, out securityToken);

    var jwtSecurityToken = securityToken as JwtSecurityToken;

    if (jwtSecurityToken == null || !jwtSecurityToken.Header.Alg.Equals(SecurityAlgorithms.HmacSha256, StringComparison.InvariantCultureIgnoreCase))

        throw new SecurityTokenException("Invalid token");



    return principal;

}





c# asp.net-core jwt asp.net-core-webapi







share|improve this question




























    up vote
    1
    down vote

    favorite












    Is it possible to check the IP adress when using System.IdentityModel.Tokens.Jwt in an ASP.NET core Web Api application?



    I thought about adding a Claim containing the IP of the user that requested it and check it somehow for each request. Normally I would use OnActionExecuting in ASP.NET MVC.



    Is there a Middleware/Authorization based solution?



    I Create my Jwt Token Claims like this:



    private IEnumerable<Claim> getStandardClaims(IdentityUser user)
    
{
    
    var claims = new List<Claim>
    
    {
    
        new Claim(ClaimTypes.Name, user.UserName),
    
        new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
    
        new Claim(JwtRegisteredClaimNames.Sub, user.UserName),
    
        new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
    
        new Claim("ipaddress", HttpContext.Connection.RemoteIpAddress.ToString())
    
    };
    

    
    return claims;
    
}


    this is what the JWT Data look like:



    {
    
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "username",
    
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "5a6b3eb8-ed7f-48c6-b10c-a279ffd4f7c8",
    
  "sub": "username",
    
  "jti": "44c95b53-bfba-4f33-b4c3-834127605432",
    
  "ipaddress": "::1",
    
  "exp": 1542707081,
    
  "iss": "https://localhost:5001/",
    
  "aud": "https://localhost:5001/"
    
}


    Edit: Possible Solution for JWT Claims?
    Maybe I have to read the Claims like this (Test code, no null checks ect..):



    var auth = HttpContext.Request.Headers.FirstOrDefault(x => x.Key == "Authorization");
    
string token = auth.Value[0].Split(' ')[1];
    

    
JwtTokenService<RefreshToken, string> jwtService = new JwtTokenService<RefreshToken, string>(null);
    
var principal = jwtService.GetPrincipalFromExpiredToken(token, _config["Jwt:Key"]);
    

    
Claim ipClaim = principal.FindFirst(claim => claim.Type == "ipaddress");


    This is the GetPrincipalFromExpiredToken Method:



    public ClaimsPrincipal GetPrincipalFromExpiredToken(string token, string securityKey)
    
{
    
    var tokenValidationParameters = new TokenValidationParameters
    
    {
    
        ValidateAudience = false, 
    
        ValidateIssuer = false,
    
        ValidateIssuerSigningKey = true,
    
        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(securityKey)),
    
        ValidateLifetime = false 
    
    };
    

    
    var tokenHandler = new JwtSecurityTokenHandler();
    
    SecurityToken securityToken;
    
    var principal = tokenHandler.ValidateToken(token, tokenValidationParameters, out securityToken);
    
    var jwtSecurityToken = securityToken as JwtSecurityToken;
    
    if (jwtSecurityToken == null || !jwtSecurityToken.Header.Alg.Equals(SecurityAlgorithms.HmacSha256, StringComparison.InvariantCultureIgnoreCase))
    
        throw new SecurityTokenException("Invalid token");
    

    
    return principal;
    
}





    c# asp.net-core jwt asp.net-core-webapi







    share|improve this question


























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      Is it possible to check the IP adress when using System.IdentityModel.Tokens.Jwt in an ASP.NET core Web Api application?



      I thought about adding a Claim containing the IP of the user that requested it and check it somehow for each request. Normally I would use OnActionExecuting in ASP.NET MVC.



      Is there a Middleware/Authorization based solution?



      I Create my Jwt Token Claims like this:



      private IEnumerable<Claim> getStandardClaims(IdentityUser user)
      
{
      
    var claims = new List<Claim>
      
    {
      
        new Claim(ClaimTypes.Name, user.UserName),
      
        new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
      
        new Claim(JwtRegisteredClaimNames.Sub, user.UserName),
      
        new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
      
        new Claim("ipaddress", HttpContext.Connection.RemoteIpAddress.ToString())
      
    };
      

      
    return claims;
      
}


      this is what the JWT Data look like:



      {
      
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "username",
      
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "5a6b3eb8-ed7f-48c6-b10c-a279ffd4f7c8",
      
  "sub": "username",
      
  "jti": "44c95b53-bfba-4f33-b4c3-834127605432",
      
  "ipaddress": "::1",
      
  "exp": 1542707081,
      
  "iss": "https://localhost:5001/",
      
  "aud": "https://localhost:5001/"
      
}


      Edit: Possible Solution for JWT Claims?
      Maybe I have to read the Claims like this (Test code, no null checks ect..):



      var auth = HttpContext.Request.Headers.FirstOrDefault(x => x.Key == "Authorization");
      
string token = auth.Value[0].Split(' ')[1];
      

      
JwtTokenService<RefreshToken, string> jwtService = new JwtTokenService<RefreshToken, string>(null);
      
var principal = jwtService.GetPrincipalFromExpiredToken(token, _config["Jwt:Key"]);
      

      
Claim ipClaim = principal.FindFirst(claim => claim.Type == "ipaddress");


      This is the GetPrincipalFromExpiredToken Method:



      public ClaimsPrincipal GetPrincipalFromExpiredToken(string token, string securityKey)
      
{
      
    var tokenValidationParameters = new TokenValidationParameters
      
    {
      
        ValidateAudience = false, 
      
        ValidateIssuer = false,
      
        ValidateIssuerSigningKey = true,
      
        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(securityKey)),
      
        ValidateLifetime = false 
      
    };
      

      
    var tokenHandler = new JwtSecurityTokenHandler();
      
    SecurityToken securityToken;
      
    var principal = tokenHandler.ValidateToken(token, tokenValidationParameters, out securityToken);
      
    var jwtSecurityToken = securityToken as JwtSecurityToken;
      
    if (jwtSecurityToken == null || !jwtSecurityToken.Header.Alg.Equals(SecurityAlgorithms.HmacSha256, StringComparison.InvariantCultureIgnoreCase))
      
        throw new SecurityTokenException("Invalid token");
      

      
    return principal;
      
}





      c# asp.net-core jwt asp.net-core-webapi







      share|improve this question















      Is it possible to check the IP adress when using System.IdentityModel.Tokens.Jwt in an ASP.NET core Web Api application?



      I thought about adding a Claim containing the IP of the user that requested it and check it somehow for each request. Normally I would use OnActionExecuting in ASP.NET MVC.



      Is there a Middleware/Authorization based solution?



      I Create my Jwt Token Claims like this:



      private IEnumerable<Claim> getStandardClaims(IdentityUser user)
      
{
      
    var claims = new List<Claim>
      
    {
      
        new Claim(ClaimTypes.Name, user.UserName),
      
        new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
      
        new Claim(JwtRegisteredClaimNames.Sub, user.UserName),
      
        new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
      
        new Claim("ipaddress", HttpContext.Connection.RemoteIpAddress.ToString())
      
    };
      

      
    return claims;
      
}


      this is what the JWT Data look like:



      {
      
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "username",
      
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "5a6b3eb8-ed7f-48c6-b10c-a279ffd4f7c8",
      
  "sub": "username",
      
  "jti": "44c95b53-bfba-4f33-b4c3-834127605432",
      
  "ipaddress": "::1",
      
  "exp": 1542707081,
      
  "iss": "https://localhost:5001/",
      
  "aud": "https://localhost:5001/"
      
}


      Edit: Possible Solution for JWT Claims?
      Maybe I have to read the Claims like this (Test code, no null checks ect..):



      var auth = HttpContext.Request.Headers.FirstOrDefault(x => x.Key == "Authorization");
      
string token = auth.Value[0].Split(' ')[1];
      

      
JwtTokenService<RefreshToken, string> jwtService = new JwtTokenService<RefreshToken, string>(null);
      
var principal = jwtService.GetPrincipalFromExpiredToken(token, _config["Jwt:Key"]);
      

      
Claim ipClaim = principal.FindFirst(claim => claim.Type == "ipaddress");


      This is the GetPrincipalFromExpiredToken Method:



      public ClaimsPrincipal GetPrincipalFromExpiredToken(string token, string securityKey)
      
{
      
    var tokenValidationParameters = new TokenValidationParameters
      
    {
      
        ValidateAudience = false, 
      
        ValidateIssuer = false,
      
        ValidateIssuerSigningKey = true,
      
        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(securityKey)),
      
        ValidateLifetime = false 
      
    };
      

      
    var tokenHandler = new JwtSecurityTokenHandler();
      
    SecurityToken securityToken;
      
    var principal = tokenHandler.ValidateToken(token, tokenValidationParameters, out securityToken);
      
    var jwtSecurityToken = securityToken as JwtSecurityToken;
      
    if (jwtSecurityToken == null || !jwtSecurityToken.Header.Alg.Equals(SecurityAlgorithms.HmacSha256, StringComparison.InvariantCultureIgnoreCase))
      
        throw new SecurityTokenException("Invalid token");
      

      
    return principal;
      
}





      c# asp.net-core jwt asp.net-core-webapi




      c# asp.net-core jwt asp.net-core-webapi






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 2 days ago

























      asked Nov 19 at 11:38









      DoubleVoid

      363628




      363628
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted










          You can do that (and all other authorization stuff) via Policy-based authorization. 



          public class IpCheckRequirement : IAuthorizationRequirement
          
{
          
    public bool IpClaimRequired { get; set; } = true;
          
}
          

          
public class IpCheckHandler : AuthorizationHandler<IpCheckRequirement>
          
{
          
    public IpCheckHandler(IHttpContextAccessor httpContextAccessor)
          
    {
          
        HttpContextAccessor = httpContextAccessor ?? throw new ArgumentNullException(nameof(httpContextAccessor));
          
    }
          

          
    private IHttpContextAccessor HttpContextAccessor { get; }
          
    private HttpContext HttpContext => HttpContextAccessor.HttpContext;
          

          

          
    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, IpCheckRequirement requirement)
          
    {
          
        Claim ipClaim = context.User.FindFirst(claim => claim.Type == "ipaddress");
          

          
        // No claim existing set and and its configured as optional so skip the check
          
        if(ipClaim == null && !requirement.IpClaimRequired)
          
        {
          
            // Optional claims (IsClaimRequired=false and no "ipaddress" in the claims principal) won't call context.Fail()
          
            // This allows next Handle to succeed. If we call Fail() the access will be denied, even if handlers
          
            // evaluated after this one do succeed
          
            return Task.CompletedTask;
          
        }
          

          
        if (ipClaim.Value = HttpContext.Connection.RemoteIpAddress?.ToString())
          
        {
          
            context.Succeed(requirement);
          
        }
          
        else
          
        {
          
            // Only call fail, to guarantee a failure, even if further handlers may succeed
          
            context.Fail();
          
        }
          

          
        return Task.CompletedTask;
          
    }
          
}


          then add 



          services.AddSingleton<IAuthorizationHandler, IpCheckHandler>();
          
services.AddAuthorization(options =>
          
{
          
    options.AddPolicy("SameIpPolicy",
          
        policy => policy.Requirements.Add(new IpCheckRequirement { IpClaimRequired = true }));
          
});


          to your ConfigureServices method.



          Now you can annote the controllers on which you want to apply it with [Authroize(Policy = "SameIpPolicy")] or add a global policy:



          services.AddMvc(options =>
          
{
          
    options.Filters.Add(new AuthorizeFilter("SameIpPolicy"))
          
})





          share|improve this answer























          • Hey, thanks! I get the idea and the HandleRequirementAsync method gets triggered. But context.User.FindFirst gives me the user Claims for the Identity instance I guess? I need the claims I've put into my JWT token (see original post on how I add these claims. The JWT Authorization works fine btw.
            – DoubleVoid
            2 days ago










          • Then you have an odd setup. Typically your Identity server (which generates the JWT token) and your resource server are two distinct applications. In resource servers (WebAPIs only, no MVC) you usually use JWT for authorization and Cookie authorization for MVC. Did you really call the given method via Ajax (or postman or other addon) with the JWT bearer token included in the request?
            – Tseng
            2 days ago










          • Yes, I use Postman. Using no token gives me an unauthorized error code. In my setup there is just one server. I edited my post, added a "possible" solution. This way I can read the claims from the jwt. At the moment my Identity User has no claims set. I don't want to hit the database. But I guess I would have to add Identity Claims and sync them with my JWT and update the IP Adress for the ip claim?!
            – DoubleVoid
            2 days ago










          • I think something wrong with your (default) authentication scheme. The authentication scheme tells the system whose claim to use (in case you have more than one authentication in use). If you set up Cookie authentication scheme as default it will always use its claims, not the one from JWT. Either you set JWT auth schema as default, and annotate Cookie/Identity where needed [Authorize(AuthenticationSchemes = "CookieAuthenticationDefaults.AuthenticationScheme")].
            – Tseng
            2 days ago






          • 1




            Yea, sorry. Missed it on my part. Yes, you need to call context.Succeed(requirement); if you want it evaluate as success. But only call .Fail() if you want guarantee it to fail (other authorization handlers wont be evaluated for this requirement). By not calling .Fail() you allow next handler to succeed. See Why would I want multiple handlers for a requirement?
            – Tseng
            yesterday











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53373832%2fcheck-ip-with-jwt-authorization-in-asp-net-core-web-api%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          2
          down vote



          accepted










          You can do that (and all other authorization stuff) via Policy-based authorization. 



          public class IpCheckRequirement : IAuthorizationRequirement
          
{
          
    public bool IpClaimRequired { get; set; } = true;
          
}
          

          
public class IpCheckHandler : AuthorizationHandler<IpCheckRequirement>
          
{
          
    public IpCheckHandler(IHttpContextAccessor httpContextAccessor)
          
    {
          
        HttpContextAccessor = httpContextAccessor ?? throw new ArgumentNullException(nameof(httpContextAccessor));
          
    }
          

          
    private IHttpContextAccessor HttpContextAccessor { get; }
          
    private HttpContext HttpContext => HttpContextAccessor.HttpContext;
          

          

          
    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, IpCheckRequirement requirement)
          
    {
          
        Claim ipClaim = context.User.FindFirst(claim => claim.Type == "ipaddress");
          

          
        // No claim existing set and and its configured as optional so skip the check
          
        if(ipClaim == null && !requirement.IpClaimRequired)
          
        {
          
            // Optional claims (IsClaimRequired=false and no "ipaddress" in the claims principal) won't call context.Fail()
          
            // This allows next Handle to succeed. If we call Fail() the access will be denied, even if handlers
          
            // evaluated after this one do succeed
          
            return Task.CompletedTask;
          
        }
          

          
        if (ipClaim.Value = HttpContext.Connection.RemoteIpAddress?.ToString())
          
        {
          
            context.Succeed(requirement);
          
        }
          
        else
          
        {
          
            // Only call fail, to guarantee a failure, even if further handlers may succeed
          
            context.Fail();
          
        }
          

          
        return Task.CompletedTask;
          
    }
          
}


          then add 



          services.AddSingleton<IAuthorizationHandler, IpCheckHandler>();
          
services.AddAuthorization(options =>
          
{
          
    options.AddPolicy("SameIpPolicy",
          
        policy => policy.Requirements.Add(new IpCheckRequirement { IpClaimRequired = true }));
          
});


          to your ConfigureServices method.



          Now you can annote the controllers on which you want to apply it with [Authroize(Policy = "SameIpPolicy")] or add a global policy:



          services.AddMvc(options =>
          
{
          
    options.Filters.Add(new AuthorizeFilter("SameIpPolicy"))
          
})





          share|improve this answer























          • Hey, thanks! I get the idea and the HandleRequirementAsync method gets triggered. But context.User.FindFirst gives me the user Claims for the Identity instance I guess? I need the claims I've put into my JWT token (see original post on how I add these claims. The JWT Authorization works fine btw.
            – DoubleVoid
            2 days ago










          • Then you have an odd setup. Typically your Identity server (which generates the JWT token) and your resource server are two distinct applications. In resource servers (WebAPIs only, no MVC) you usually use JWT for authorization and Cookie authorization for MVC. Did you really call the given method via Ajax (or postman or other addon) with the JWT bearer token included in the request?
            – Tseng
            2 days ago










          • Yes, I use Postman. Using no token gives me an unauthorized error code. In my setup there is just one server. I edited my post, added a "possible" solution. This way I can read the claims from the jwt. At the moment my Identity User has no claims set. I don't want to hit the database. But I guess I would have to add Identity Claims and sync them with my JWT and update the IP Adress for the ip claim?!
            – DoubleVoid
            2 days ago










          • I think something wrong with your (default) authentication scheme. The authentication scheme tells the system whose claim to use (in case you have more than one authentication in use). If you set up Cookie authentication scheme as default it will always use its claims, not the one from JWT. Either you set JWT auth schema as default, and annotate Cookie/Identity where needed [Authorize(AuthenticationSchemes = "CookieAuthenticationDefaults.AuthenticationScheme")].
            – Tseng
            2 days ago






          • 1




            Yea, sorry. Missed it on my part. Yes, you need to call context.Succeed(requirement); if you want it evaluate as success. But only call .Fail() if you want guarantee it to fail (other authorization handlers wont be evaluated for this requirement). By not calling .Fail() you allow next handler to succeed. See Why would I want multiple handlers for a requirement?
            – Tseng
            yesterday















          up vote
          2
          down vote



          accepted










          You can do that (and all other authorization stuff) via Policy-based authorization. 



          public class IpCheckRequirement : IAuthorizationRequirement
          
{
          
    public bool IpClaimRequired { get; set; } = true;
          
}
          

          
public class IpCheckHandler : AuthorizationHandler<IpCheckRequirement>
          
{
          
    public IpCheckHandler(IHttpContextAccessor httpContextAccessor)
          
    {
          
        HttpContextAccessor = httpContextAccessor ?? throw new ArgumentNullException(nameof(httpContextAccessor));
          
    }
          

          
    private IHttpContextAccessor HttpContextAccessor { get; }
          
    private HttpContext HttpContext => HttpContextAccessor.HttpContext;
          

          

          
    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, IpCheckRequirement requirement)
          
    {
          
        Claim ipClaim = context.User.FindFirst(claim => claim.Type == "ipaddress");
          

          
        // No claim existing set and and its configured as optional so skip the check
          
        if(ipClaim == null && !requirement.IpClaimRequired)
          
        {
          
            // Optional claims (IsClaimRequired=false and no "ipaddress" in the claims principal) won't call context.Fail()
          
            // This allows next Handle to succeed. If we call Fail() the access will be denied, even if handlers
          
            // evaluated after this one do succeed
          
            return Task.CompletedTask;
          
        }
          

          
        if (ipClaim.Value = HttpContext.Connection.RemoteIpAddress?.ToString())
          
        {
          
            context.Succeed(requirement);
          
        }
          
        else
          
        {
          
            // Only call fail, to guarantee a failure, even if further handlers may succeed
          
            context.Fail();
          
        }
          

          
        return Task.CompletedTask;
          
    }
          
}


          then add 



          services.AddSingleton<IAuthorizationHandler, IpCheckHandler>();
          
services.AddAuthorization(options =>
          
{
          
    options.AddPolicy("SameIpPolicy",
          
        policy => policy.Requirements.Add(new IpCheckRequirement { IpClaimRequired = true }));
          
});


          to your ConfigureServices method.



          Now you can annote the controllers on which you want to apply it with [Authroize(Policy = "SameIpPolicy")] or add a global policy:



          services.AddMvc(options =>
          
{
          
    options.Filters.Add(new AuthorizeFilter("SameIpPolicy"))
          
})





          share|improve this answer























          • Hey, thanks! I get the idea and the HandleRequirementAsync method gets triggered. But context.User.FindFirst gives me the user Claims for the Identity instance I guess? I need the claims I've put into my JWT token (see original post on how I add these claims. The JWT Authorization works fine btw.
            – DoubleVoid
            2 days ago










          • Then you have an odd setup. Typically your Identity server (which generates the JWT token) and your resource server are two distinct applications. In resource servers (WebAPIs only, no MVC) you usually use JWT for authorization and Cookie authorization for MVC. Did you really call the given method via Ajax (or postman or other addon) with the JWT bearer token included in the request?
            – Tseng
            2 days ago










          • Yes, I use Postman. Using no token gives me an unauthorized error code. In my setup there is just one server. I edited my post, added a "possible" solution. This way I can read the claims from the jwt. At the moment my Identity User has no claims set. I don't want to hit the database. But I guess I would have to add Identity Claims and sync them with my JWT and update the IP Adress for the ip claim?!
            – DoubleVoid
            2 days ago










          • I think something wrong with your (default) authentication scheme. The authentication scheme tells the system whose claim to use (in case you have more than one authentication in use). If you set up Cookie authentication scheme as default it will always use its claims, not the one from JWT. Either you set JWT auth schema as default, and annotate Cookie/Identity where needed [Authorize(AuthenticationSchemes = "CookieAuthenticationDefaults.AuthenticationScheme")].
            – Tseng
            2 days ago






          • 1




            Yea, sorry. Missed it on my part. Yes, you need to call context.Succeed(requirement); if you want it evaluate as success. But only call .Fail() if you want guarantee it to fail (other authorization handlers wont be evaluated for this requirement). By not calling .Fail() you allow next handler to succeed. See Why would I want multiple handlers for a requirement?
            – Tseng
            yesterday













          up vote
          2
          down vote



          accepted







          up vote
          2
          down vote



          accepted






          You can do that (and all other authorization stuff) via Policy-based authorization. 



          public class IpCheckRequirement : IAuthorizationRequirement
          
{
          
    public bool IpClaimRequired { get; set; } = true;
          
}
          

          
public class IpCheckHandler : AuthorizationHandler<IpCheckRequirement>
          
{
          
    public IpCheckHandler(IHttpContextAccessor httpContextAccessor)
          
    {
          
        HttpContextAccessor = httpContextAccessor ?? throw new ArgumentNullException(nameof(httpContextAccessor));
          
    }
          

          
    private IHttpContextAccessor HttpContextAccessor { get; }
          
    private HttpContext HttpContext => HttpContextAccessor.HttpContext;
          

          

          
    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, IpCheckRequirement requirement)
          
    {
          
        Claim ipClaim = context.User.FindFirst(claim => claim.Type == "ipaddress");
          

          
        // No claim existing set and and its configured as optional so skip the check
          
        if(ipClaim == null && !requirement.IpClaimRequired)
          
        {
          
            // Optional claims (IsClaimRequired=false and no "ipaddress" in the claims principal) won't call context.Fail()
          
            // This allows next Handle to succeed. If we call Fail() the access will be denied, even if handlers
          
            // evaluated after this one do succeed
          
            return Task.CompletedTask;
          
        }
          

          
        if (ipClaim.Value = HttpContext.Connection.RemoteIpAddress?.ToString())
          
        {
          
            context.Succeed(requirement);
          
        }
          
        else
          
        {
          
            // Only call fail, to guarantee a failure, even if further handlers may succeed
          
            context.Fail();
          
        }
          

          
        return Task.CompletedTask;
          
    }
          
}


          then add 



          services.AddSingleton<IAuthorizationHandler, IpCheckHandler>();
          
services.AddAuthorization(options =>
          
{
          
    options.AddPolicy("SameIpPolicy",
          
        policy => policy.Requirements.Add(new IpCheckRequirement { IpClaimRequired = true }));
          
});


          to your ConfigureServices method.



          Now you can annote the controllers on which you want to apply it with [Authroize(Policy = "SameIpPolicy")] or add a global policy:



          services.AddMvc(options =>
          
{
          
    options.Filters.Add(new AuthorizeFilter("SameIpPolicy"))
          
})





          share|improve this answer














          You can do that (and all other authorization stuff) via Policy-based authorization. 



          public class IpCheckRequirement : IAuthorizationRequirement
          
{
          
    public bool IpClaimRequired { get; set; } = true;
          
}
          

          
public class IpCheckHandler : AuthorizationHandler<IpCheckRequirement>
          
{
          
    public IpCheckHandler(IHttpContextAccessor httpContextAccessor)
          
    {
          
        HttpContextAccessor = httpContextAccessor ?? throw new ArgumentNullException(nameof(httpContextAccessor));
          
    }
          

          
    private IHttpContextAccessor HttpContextAccessor { get; }
          
    private HttpContext HttpContext => HttpContextAccessor.HttpContext;
          

          

          
    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, IpCheckRequirement requirement)
          
    {
          
        Claim ipClaim = context.User.FindFirst(claim => claim.Type == "ipaddress");
          

          
        // No claim existing set and and its configured as optional so skip the check
          
        if(ipClaim == null && !requirement.IpClaimRequired)
          
        {
          
            // Optional claims (IsClaimRequired=false and no "ipaddress" in the claims principal) won't call context.Fail()
          
            // This allows next Handle to succeed. If we call Fail() the access will be denied, even if handlers
          
            // evaluated after this one do succeed
          
            return Task.CompletedTask;
          
        }
          

          
        if (ipClaim.Value = HttpContext.Connection.RemoteIpAddress?.ToString())
          
        {
          
            context.Succeed(requirement);
          
        }
          
        else
          
        {
          
            // Only call fail, to guarantee a failure, even if further handlers may succeed
          
            context.Fail();
          
        }
          

          
        return Task.CompletedTask;
          
    }
          
}


          then add 



          services.AddSingleton<IAuthorizationHandler, IpCheckHandler>();
          
services.AddAuthorization(options =>
          
{
          
    options.AddPolicy("SameIpPolicy",
          
        policy => policy.Requirements.Add(new IpCheckRequirement { IpClaimRequired = true }));
          
});


          to your ConfigureServices method.



          Now you can annote the controllers on which you want to apply it with [Authroize(Policy = "SameIpPolicy")] or add a global policy:



          services.AddMvc(options =>
          
{
          
    options.Filters.Add(new AuthorizeFilter("SameIpPolicy"))
          
})






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited yesterday

























          answered Nov 19 at 14:31









          Tseng

          32k584116




          32k584116












          • Hey, thanks! I get the idea and the HandleRequirementAsync method gets triggered. But context.User.FindFirst gives me the user Claims for the Identity instance I guess? I need the claims I've put into my JWT token (see original post on how I add these claims. The JWT Authorization works fine btw.
            – DoubleVoid
            2 days ago










          • Then you have an odd setup. Typically your Identity server (which generates the JWT token) and your resource server are two distinct applications. In resource servers (WebAPIs only, no MVC) you usually use JWT for authorization and Cookie authorization for MVC. Did you really call the given method via Ajax (or postman or other addon) with the JWT bearer token included in the request?
            – Tseng
            2 days ago










          • Yes, I use Postman. Using no token gives me an unauthorized error code. In my setup there is just one server. I edited my post, added a "possible" solution. This way I can read the claims from the jwt. At the moment my Identity User has no claims set. I don't want to hit the database. But I guess I would have to add Identity Claims and sync them with my JWT and update the IP Adress for the ip claim?!
            – DoubleVoid
            2 days ago










          • I think something wrong with your (default) authentication scheme. The authentication scheme tells the system whose claim to use (in case you have more than one authentication in use). If you set up Cookie authentication scheme as default it will always use its claims, not the one from JWT. Either you set JWT auth schema as default, and annotate Cookie/Identity where needed [Authorize(AuthenticationSchemes = "CookieAuthenticationDefaults.AuthenticationScheme")].
            – Tseng
            2 days ago






          • 1




            Yea, sorry. Missed it on my part. Yes, you need to call context.Succeed(requirement); if you want it evaluate as success. But only call .Fail() if you want guarantee it to fail (other authorization handlers wont be evaluated for this requirement). By not calling .Fail() you allow next handler to succeed. See Why would I want multiple handlers for a requirement?
            – Tseng
            yesterday


















          • Hey, thanks! I get the idea and the HandleRequirementAsync method gets triggered. But context.User.FindFirst gives me the user Claims for the Identity instance I guess? I need the claims I've put into my JWT token (see original post on how I add these claims. The JWT Authorization works fine btw.
            – DoubleVoid
            2 days ago










          • Then you have an odd setup. Typically your Identity server (which generates the JWT token) and your resource server are two distinct applications. In resource servers (WebAPIs only, no MVC) you usually use JWT for authorization and Cookie authorization for MVC. Did you really call the given method via Ajax (or postman or other addon) with the JWT bearer token included in the request?
            – Tseng
            2 days ago










          • Yes, I use Postman. Using no token gives me an unauthorized error code. In my setup there is just one server. I edited my post, added a "possible" solution. This way I can read the claims from the jwt. At the moment my Identity User has no claims set. I don't want to hit the database. But I guess I would have to add Identity Claims and sync them with my JWT and update the IP Adress for the ip claim?!
            – DoubleVoid
            2 days ago










          • I think something wrong with your (default) authentication scheme. The authentication scheme tells the system whose claim to use (in case you have more than one authentication in use). If you set up Cookie authentication scheme as default it will always use its claims, not the one from JWT. Either you set JWT auth schema as default, and annotate Cookie/Identity where needed [Authorize(AuthenticationSchemes = "CookieAuthenticationDefaults.AuthenticationScheme")].
            – Tseng
            2 days ago






          • 1




            Yea, sorry. Missed it on my part. Yes, you need to call context.Succeed(requirement); if you want it evaluate as success. But only call .Fail() if you want guarantee it to fail (other authorization handlers wont be evaluated for this requirement). By not calling .Fail() you allow next handler to succeed. See Why would I want multiple handlers for a requirement?
            – Tseng
            yesterday
















          Hey, thanks! I get the idea and the HandleRequirementAsync method gets triggered. But context.User.FindFirst gives me the user Claims for the Identity instance I guess? I need the claims I've put into my JWT token (see original post on how I add these claims. The JWT Authorization works fine btw.
          – DoubleVoid
          2 days ago




          Hey, thanks! I get the idea and the HandleRequirementAsync method gets triggered. But context.User.FindFirst gives me the user Claims for the Identity instance I guess? I need the claims I've put into my JWT token (see original post on how I add these claims. The JWT Authorization works fine btw.
          – DoubleVoid
          2 days ago












          Then you have an odd setup. Typically your Identity server (which generates the JWT token) and your resource server are two distinct applications. In resource servers (WebAPIs only, no MVC) you usually use JWT for authorization and Cookie authorization for MVC. Did you really call the given method via Ajax (or postman or other addon) with the JWT bearer token included in the request?
          – Tseng
          2 days ago




          Then you have an odd setup. Typically your Identity server (which generates the JWT token) and your resource server are two distinct applications. In resource servers (WebAPIs only, no MVC) you usually use JWT for authorization and Cookie authorization for MVC. Did you really call the given method via Ajax (or postman or other addon) with the JWT bearer token included in the request?
          – Tseng
          2 days ago












          Yes, I use Postman. Using no token gives me an unauthorized error code. In my setup there is just one server. I edited my post, added a "possible" solution. This way I can read the claims from the jwt. At the moment my Identity User has no claims set. I don't want to hit the database. But I guess I would have to add Identity Claims and sync them with my JWT and update the IP Adress for the ip claim?!
          – DoubleVoid
          2 days ago




          Yes, I use Postman. Using no token gives me an unauthorized error code. In my setup there is just one server. I edited my post, added a "possible" solution. This way I can read the claims from the jwt. At the moment my Identity User has no claims set. I don't want to hit the database. But I guess I would have to add Identity Claims and sync them with my JWT and update the IP Adress for the ip claim?!
          – DoubleVoid
          2 days ago












          I think something wrong with your (default) authentication scheme. The authentication scheme tells the system whose claim to use (in case you have more than one authentication in use). If you set up Cookie authentication scheme as default it will always use its claims, not the one from JWT. Either you set JWT auth schema as default, and annotate Cookie/Identity where needed [Authorize(AuthenticationSchemes = "CookieAuthenticationDefaults.AuthenticationScheme")].
          – Tseng
          2 days ago




          I think something wrong with your (default) authentication scheme. The authentication scheme tells the system whose claim to use (in case you have more than one authentication in use). If you set up Cookie authentication scheme as default it will always use its claims, not the one from JWT. Either you set JWT auth schema as default, and annotate Cookie/Identity where needed [Authorize(AuthenticationSchemes = "CookieAuthenticationDefaults.AuthenticationScheme")].
          – Tseng
          2 days ago




          1




          1




          Yea, sorry. Missed it on my part. Yes, you need to call context.Succeed(requirement); if you want it evaluate as success. But only call .Fail() if you want guarantee it to fail (other authorization handlers wont be evaluated for this requirement). By not calling .Fail() you allow next handler to succeed. See Why would I want multiple handlers for a requirement?
          – Tseng
          yesterday




          Yea, sorry. Missed it on my part. Yes, you need to call context.Succeed(requirement); if you want it evaluate as success. But only call .Fail() if you want guarantee it to fail (other authorization handlers wont be evaluated for this requirement). By not calling .Fail() you allow next handler to succeed. See Why would I want multiple handlers for a requirement?
          – Tseng
          yesterday


















           

          draft saved


          draft discarded



















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53373832%2fcheck-ip-with-jwt-authorization-in-asp-net-core-web-api%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Can a sorcerer learn a 5th-level spell early by creating spell slots using the Font of Magic feature?

          Image
          28 6 $begingroup$ Per the Font of Magic feature, sorcerer can use Flexible Casting to create 5th-level spell slots at level 7, even though they are not typically available until level 9. You can transform unexpended sorcery points into one spell slot as a bonus action on your turn. The Creating Spell Slots table shows the cost of creating a spell slot of [5th level is 7] If such a sorcerer levels up while still having this 5th-level spell slot, can they choose a 5th-level spell as the spell they gain upon levelling up? The Spellcasting feature states: Additionally, when you gain a level in this class, you can choose one of the sorcerer spells you know and replace it with another spell from the sorcerer spell list, which also must be of a level for which you have spell slots.
          Read more

          Does disintegrating a polymorphed enemy still kill it after the 2018 errata?

          Image
          up vote 13 down vote favorite 1 After the 2018 errata, the disintegrate spell description now reads: A creature targeted by this spell must make a Dexterity saving throw. On a failed save, the target takes 10d6 + 40 force damage. The target is disintegrated if this damage leaves it with 0 hit points. If you were to polymorph an enemy into a rat and then disintegrate it, would the enemy be disintegrated or would it just return to its original form? I know that for Druids, it’s not an instant kill anymore, but is this the case for polymorph as well? dnd-5e spells polymorph errata share | improve this question edited 18 hours ago
          Read more

          A Topological Invariant for $pi_3(U(n))$

          Image
          3 3 $begingroup$ Recently, I saw a construction of topological invariant for $pi_3(U(n))$ with $ngeq 2$ : $$ N=frac{1}{24pi^2}int_{S^3} d^3x epsilon^{ijk} Tr[(U^{-1}partial_{x_i}U)(U^{-1}partial_{x_j}U)(U^{-1}partial_{x_k}U)] , $$ where $Uin U(n)$ depends on $boldsymbol{x}=(x_1,x_2,x_3)in S^3$ , $epsilon^{ijk}$ is the Levi-Civita symbol, $i,j,k=1,2,3$ , and the duplicated indexes are summed over. It is claimed that $N$ is an integer, but why? Update 02/02/2019 I think I got an argument for $n=2$ . In this case, $U=e^{i varphi} q$ with $qin SU(2)$ . Due to the trace and the Levi-Civita symbol in $N$ , $varphi$ does not contribute to $N$ . As $Tr[q^{dagger}partial_i q]=0$ and $(q^{dagger}partial_i q)^{dagger}=-q^{dagger}partial_i q$ , $q^{dagger}partial_i q$ in geneeral has the form $q^{dagger}partia
          Read more