damianh
commented
7 years ago Not entirely sure why I got named here but I supposition an answer :)
Does Idsvr3 has any functionality that restricts "client credentials flow" to certain/range IP addresses?
No, IdSrv does not do this and nor should it imho. For this to be effective and secure, you will want to do it as low down in the stack as possible. So this means firewall level first. If a multi-tenant application, then at reverse proxy / load balancer. And finally, if this is not possible, then in middleware in front of your oauth endpoints.
How to automatically detect the client server IP address from which the request to the token is made. note: Not the User's IP address, but the IP address of the server where client website is hosted.
Since it's Client Credentials flow you can use one of the HTTP request headers to get the remote (client) ip address: https://stackoverflow.com/a/916157
If the Client itself is compromised (and not the credentials being lifted and used elsewhere), then this won't help.
leastprivilege
ObjectNullReference
@brockallen @damianh
Question
Hi,
We are using the Client Credentials OAuth2 flow. Client is an Asp.net web application, and request token code is part of the code behind file on server side.
But if some how some one could able to get the client_id, and secret_key, they will be able to get acces token. We would like to restrict the incoming IP traffic to certain restricted IPs (i.e. Server OutBound IPs where the client application is hosted). So can you clarify the below question in this regards.
Does Idsvr3 has any functionality that restricts "client credentials flow" to certain/range IP addresses?
How to automatically detect the client server IP address from which the request to the token is made. note: Not the User's IP address, but the IP address of the server where client website is hosted.
Appreciate your response.
Thanks, NullReference