IdentityServer4基于IP地址的透明登录

Question

IdentityServer4 IP address transparent login

Hello, I'm working on a project that uses IdentityServer4 as Authentication/Authorization service. We have or own custom userstore injected in the service that we use to validate users based on credentials, and in the ProfileService we use the same userstore to decorate extra claims. Now I have the assignment if it is possible, to do a transparent login based on an IP address, in our custom userstore some users have an ipaddress.

The workflow goes like follows: when a user goes to our client applicatons (asp.net mvc), and the user is not authenticated, he's redirected to the IdentityServer, my first check here should be if I can resolve a user based on the incoming IP address, if so sign in and redirect to the client application, otherwise display the identityserver login page (based on the quickstart example).

I've found a ticket in the github project related to impersonation, and possibly gets me a step closer? Based on override AuthorizeInteractionResponseGenerator https://github.com/IdentityServer/IdentityServer4/issues/853

based on that ticket I've made some pseudo code, but I'm not sure if this is the correct way?

 public class IPAuthorizeInteractionResponseGenerator: AuthorizeInteractionResponseGenerator
{
    private readonly ISystemClock _systemClock;
    private IProfileService _profileService;
    private readonly IHttpContextAccessor _httpContextAccessor;
    private readonly IMyAccountUserStore _myAccountUserStore;

    public IPAuthorizeInteractionResponseGenerator(IMyAccountUserStore myAccountUserStore, IHttpContextAccessor httpContextAccessor, 
        ISystemClock clock, ILogger<AuthorizeInteractionResponseGenerator> logger, IConsentService consent, IProfileService profile) : base(clock, logger, consent, profile)
    {
        _systemClock = clock;
        _profileService = profile;
        _httpContextAccessor = httpContextAccessor;
        _myAccountUserStore = myAccountUserStore;
    }

    public override Task<InteractionResponse> ProcessInteractionAsync(ValidatedAuthorizeRequest request, ConsentResponse consent = null)
    {
        var clientIp = _httpContextAccessor.HttpContext.Connection.RemoteIpAddress.ToString();
        var userByIp = _myAccountUserStore.FindUserByIp(clientIp);
        if(userByIp == null)
            return base.ProcessInteractionAsync(request, consent);



        //user found by ip ... 
        var claims = new[]
        {
            new Claim(JwtClaimTypes.Name, userByIp.Username),
            new Claim(JwtClaimTypes.GivenName, userByIp.FullName),
            new Claim(JwtClaimTypes.Email, userByIp.Email),
            new Claim(JwtClaimTypes.AuthenticationTime, _systemClock.UtcNow.DateTime.ToEpochTime().ToString())
        };

        var svr = new IdentityServerUser(userByIp.SubjectId) { AuthenticationTime = _systemClock.UtcNow.DateTime, AdditionalClaims = claims};
        var claimsPrincipal = svr.CreatePrincipal();
        request.Subject = claimsPrincipal;

        return Task.FromResult(new InteractionResponse());
    }
}

Answer 1

If you must do this solution (highly against it) would be a relatively simple level check.

in your login method

1. get user IP address (HttpContext.Connection.RemoteIpAddress.ToString())
2. check your user store for a user that has the allocated IP address
3. if address exists then automatically login using that users credentials and respond with relevant response
4. if address doesn't exist then load Login page for the ID4 server

Note at bare minimum these things would need to be in place:

• You will need to ensure your user store retains IP address for approved user
• You will need to ensure your user store gets updated with new or updated details of user

This should meet your requirements to use IP address for automatic login.

Stressing the point that this approach should not in any way or form be used unless extreme set of requirements dictate this.

IP Spoofing is so easy these days its not funny. Also if your user used a VPN that will also cause you issue, especially once you start building on geo-blocking.