How to allow refresh_token based user ip?


Is there any way to meet this requirement in keycloak?

Requirement : Service owner want to control user login based on origin IP.
e.g) protocol/openid-connect/auth , protocol/openid-connect/token

What I did for this requirement is,

  1. Implement new SPI that check user IP.
  2. Add this to Authentication flow > browser
    ==> Now I can control user login via oauth2 (authorization code) flow if user IP isn’t in allowed list.

But problem is, it doesn’t work when user try to get a new access token with refresh_token (grant_type = refresh_token).

Is there any way to insert custom execution for /token API?

Thank you in advance.