feat(oidc): authorization policy network criteria (#8079)

This adds a network criteria to the Authorization Policies for OpenID Connect 1.0 clients. It's important to note that this can only be enforced at the time of the initial consent of an authorization request.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>

2 files changed, 43 insertions, 4 deletions

diff --git a/docs/content/configuration/identity-providers/openid-connect/provider.md b/docs/content/configuration/identity-providers/openid-connect/provider.md
index ddb9d2dee..7d6d4068b 100644
--- a/docs/content/configuration/identity-providers/openid-connect/provider.md
+++ b/docs/content/configuration/identity-providers/openid-connect/provider.md
@@ -76,6 +76,9 @@ identity_providers:
         rules:
           - policy: 'deny'
             subject: 'group:services'
+            networks:
+              - '192.168.1.0/24'
+              - '192.168.2.51'
     lifespans:
       access_token: '1h'
       authorize_code: '1m'
@@ -401,6 +404,9 @@ identity_providers:
         rules:
           - policy: 'deny'
             subject: 'group:services'
+            networks:
+              - '192.168.1.0/24'
+              - '192.168.2.51'
     clients:
       - client_id: 'client_with_policy_name'
         authorization_policy: 'policy_name'
@@ -427,10 +433,28 @@ The policy which is applied if this rule matches. Valid values are `one_factor`,
 
 ##### subject
 
-{{< confkey type="list(list(string))" required="yes" >}}
+{{< confkey type="list(list(string))" required="situational" >}}
 
-The subjects criteria as per the [Access Control Configuration](../../security/access-control.md#subject). This must be
-included for the rule to be considered valid.
+_**Situational Note:** Either this option or the [networks](#networks) must be configured or this rule is considered
+invalid._
+
+The subjects criteria as per the [Access Control Configuration](../../security/access-control.md#subject).
+
+##### networks
+
+{{< confkey type="list(string)" syntax="network" required="situational" >}}
+{{< callout context="danger" title="Security Note" icon="outline/rocket" >}}
+The rules can only apply to the Authorization Code Flow when the resource owner is optionally providing
+consent to the Authorization Request. While this is not a major issue for the [subject](#subject) criteria, the users
+IP address may change and there is no technical way to enforce this check after consent has been granted and the tokens
+have been issued. See [ADR1](../../../reference/architecture-decision-log/1.md) for more information.
+{{< /callout >}}
+
+_**Situational Note:** Either this option or the [subject](#subject) must be configured or this rule is considered
+invalid._
+
+The list of networks this rule applies to. Items in this list can also be named
+[Network Definitions](../../definitions/network.md).
 
 ### lifespans
 
diff --git a/docs/static/schemas/v4.39/json-schema/configuration.json b/docs/static/schemas/v4.39/json-schema/configuration.json
index 8d2fd50cd..222c83387 100644
--- a/docs/static/schemas/v4.39/json-schema/configuration.json
+++ b/docs/static/schemas/v4.39/json-schema/configuration.json
@@ -2038,7 +2038,22 @@
         "subject": {
           "$ref": "#/$defs/AccessControlRuleSubjects",
           "title": "Subject",
-          "description": "Allows tuning the token lifespans for the authorize code grant."
+          "description": "Subject criteria of the Authorization for this rule to be a match."
+        },
+        "networks": {
+          "oneOf": [
+            {
+              "type": "string"
+            },
+            {
+              "items": {
+                "type": "string"
+              },
+              "type": "array"
+            }
+          ],
+          "title": "Networks",
+          "description": "Networks criteria of the Authorization for this rule to be a match."
         }
       },
       "additionalProperties": false,