Skip to main content
Matrix42 Self-Service Help Center

IP-Filtering Limitation: Custom OAuth 2 Service Provider with Resource Owner Flow

Summary

In MyWorkspace you can define IP-Filter policies for each application. This allows you to define from which location users are able to use the app. E.g. you might want to allow certain critical applications only from the corporate network.

Due to the nature of IP filtering, there are some limitations, though. This article explains, why IP filtering is not possible with the Resource Owner Flow of the Custom OAuth 2 Service Provider application.

Reason

In order to enforce an IP filter policy, MyWorkspace needs to know the public IP address of the users device. This works well for most applications.

One exception is the Custom OAuth 2 Service Provider application, when it is used with the Resource Owner Flow option. Because the authentication in this flow is entirely done with server to server communication, there is no way for MyWorkspace to know the IP address of the users device. This is why MyWorkspace cannot enforce any IP filter here.

oauth2serviceprovider-resourceownerflow.png

In general we recommend using one of the other options (Implicit Flow or Code Flow) if you want to integrate an application using OAuth 2. These have other security benefits as well (e.g. they allow to login using another identity providers like Active Directory).