You’re on the right track.
Your solution can follow this flow:
- Add the user’s allowed IP to app_metadata (keep in mind the difference between user_metadata and app_metadata. You can add this manually, or in another rule that checks if it is the user’s first login and assigns that IP as the users allowed IP in their metadata. This obviously depends on how you are determining their allowed IP.
- Create a rule that checks the IP the user is logging in from is the same as allowed IP in their metadata.
- If it is not the same, return an error to your app, and have the app display an error page (this is how errors are typically handled when being returned from rules). This allows you to customize the message and UX.
- If it is, then continue to the application.
Here are a few good resources for crafting rules: