How to bind mod_auth_openidc session to user IP address (or other user data, like User-Agent)?

[damisanet]

I'm trying to harden mod_auth_openidc-protected location against cookie stealing attacks. The most simple (yet effective) defense seems to be binding session to user IP address and invalidating it if user IP address has changed.

I'm wondering if it's possible to achieve this somehow using only mod_auth_openidc and Apache. I've considered inserting client IP address in some claim and using Require claim/Require claim_expr to match it against %{REMOTE_ADDR} (triggering step-up auth logic on mismatch), but this gets complicated if you're already using them for other requirements (also, this fails if client IP address seen by OP server is different from address seen by RP server - for example, if OP server is SaaS/externally hosted).