I'd like to restrict certain requests to whitelisted IPs.
The implementation seems easy enough; just store the user's IP as a custom claim that can be checked against a whitelist using security rules.
How secure is a Firebase app layer firewall based on auth token claims?
Alternatively, should the problem be tackled by restricting access to certain oauth providers (Azure AD, Auth0) that provide conditional access controls such as IP and device whitelisting?
References
Posting Frank's comment as Wiki for visibility.
Custom claims can only be set by users with administrator-level access to the Firebase project. So if a certain claim is set to a value, you can be certain it was set by an account with those access permissions. But it's hard to say more about how secure an implementation is going to be, because that depends almost solely on the implementation.