Unfortunately, source IP address can change quite often because of things like dynamic nat, VPNs, network roaming, etc.. Something like a client fingerprint might be a better way to go.
The other commenter who mentions refresh tokens and methods to detect token reuse is correct. I've seen some research presented on how one can detect the reuse of a refresh token and invalidate the bearer tokens forcing a relogin from the 'real' user. The problem with it is that it requires additional coding and something like a memcached or redis where you store these statuses and revoked token ids, etc. in order to effect the logic/behavior that's necessary without too much overhead. It's just extra work most teams are not gonna bother with but truly is necessary if you want to prevent the use of stolen tokens by bad actors.
Re: FIDO2 ?
Unfortunately, source IP address can change quite often because of things like dynamic nat, VPNs, network roaming, etc.. Something like a client fingerprint might be a better way to go.
The other commenter who mentions refresh tokens and methods to detect token reuse is correct. I've seen some research presented on how one can detect the reuse of a refresh token and invalidate the bearer tokens forcing a relogin from the 'real' user. The problem with it is that it requires additional coding and something like a memcached or redis where you store these statuses and revoked token ids, etc. in order to effect the logic/behavior that's necessary without too much overhead. It's just extra work most teams are not gonna bother with but truly is necessary if you want to prevent the use of stolen tokens by bad actors.