We begin by creating a token factory. It will allow us to create tokens:
private JwtFactory tokenFactory = new JwtFactory();
We then add a resource that allows a web page, after having logged in, to get a session token:
this.httpServer.Register("/GetSessionToken", null, (req, resp) =>
{
IUser User;
if (!req.Session.TryGetVariable("User", out Variable v) ||
(User = v.ValueObject as IUser) == null)
{
throw new ForbiddenException();
}
string Token = this.tokenFactory.Create(
new KeyValuePair<string, object>("sub", User.UserName));
resp.ContentType = JwtCodec.ContentType;
resp.Write(Token);
}, true, false, true);
When you create a token, you provide a set of claims. One of the most important is sub, which means subject, and relates to the entity that the token is about. You can add any number of claims here, standard as well as custom. Try adding a custom claim containing the client IP address. You can then use that information inside your method, to make sure that future requests are only accepted if they are made from the same IP address. Other authorization claims can also be added. Care must be taken, however, since you don't want to leak sensitive personal information through the tokens.
For a list of public claim names, see IANA's list at https://www.iana.org/assignments/jwt/jwt.xhtml.
For a list of public claim names, see IANA's list at https://www.iana.org/assignments/jwt/jwt.xhtml.