Leveraging ipAddress in Descope Flows

In your flow you can use the ipAddress value as a tool to enhance your authentication flows. This value will return the IP Address of the current end user.

Below is an example of using the ipAddress dynamic value in a flow.

Allowing particular IP Addresses

In scenarios where only users from a certain IP Address are allowed to authenticate, you can use regular expression (regex) to search for a pattern in a string to check for a particular IP.

/^192\.168\.\d{1,3}\.\d{1,3}$/

This expression is a regular expression (regex), which is used to define a search pattern for strings. Regular expressions are commonly used for string matching, searching, and replacement operations in programming and text processing.

  • ^: This asserts the start of a string. The pattern must match from the beginning of the string.
  • 192\.168\.: This matches the literal string "192.168.". The backslash \ is used as an escape character to indicate that the following dot . is a literal character rather than a wildcard character that matches any single character.
  • \d{1,3}: This matches any digit (\d) between 1 and 3 times. This is used to match a part of an IP address where each octet (the number between dots) can range from 0 to 255, but this regex does not enforce the maximum value of 255.
  • \.: Again, this matches the literal dot character, used to separate octets in an IP address.
  • \d{1,3}: This is repeated to match another octet, with the same criteria as before.
  • $: This asserts the end of a string, meaning the pattern must match up to the end of the string.

Putting it all together, this regex matches strings that represent IP addresses starting with "192.168." followed by two more octets, each can be any number from 0 to 999 (due to the \d{1,3} pattern, but logically should be 0 to 255 to be a valid IP address). For example, it would match 192.168.0.1 or 192.168.123.456, but it would not match 192.168.256.1 (even though this is outside the valid range for an IP address) because the regex itself doesn't enforce the maximum value of 255 per octet.

flow ipAddress widget config

Now, the widget can be leveraged in a flow to allow only particular ipAddresses.

ipAddress widget in flow

Adding Permitted IPs within Tenant

Descope supports the ability to set IP addresses via custom attributes per tenant. Following this, Descopers can have specific allow list for each of their tenant.

permitted ips within tenant via custom attributes

This functionality can also be leveraged in flow conditions. Users can have different authentication experiences or be restricted from signing up, based on their IP address. You can provide multiple values or CIDR ranges as values for the context key to match and use from. permitted ips flow condition

As an example, a Descoper can provide a range of whitelisted IP addresses and route their users to different screens based on the condition below. permitted ips in flow

Was this helpful?

On this page