Client IP or HTTP header based condition

[Dima Ermakov]

Hi!

We have Keycloak deployed and it seems to work well.

We would like to have different authentication flows based on where a user comes from, i.e.:

If a user connects from "IPv4 private range": offer login and password authentication,

else: offer login, password + OTP authentication.

The idea is to protect user account from Internet.

As we have our Keycloak behind a load balancer, we can add a specific header to requests from our internal network, i.e. "X-INTERNAL-NET=true" or similar.

Do you know if there is any way to configure Keycloak to offer different authentication flows based on either client IP or an HTTP header? We would like to use the same realm.

Thanks in advance,

// Dmitrii.