Securing the built-in admin-cli client

As I understand, the built-in admin-cli client is for REST API access. If it is accessible by all public IP addresses, as is the default, there is a potential security risk. Is it possible to limit its access to a whitelisted IP addresses?

Similarly for the realm-management client.

First: I would personally not expose keycloak directly to attached networks/the internet but use a reverse proxy.

If i understand your question correctly, this would solve your problem as you could delegate all network/IP based access control to the reverse proxy.

If you do not use a reverse proxy, you are also exposing the admin interface (login) to your clientel.

I do have a nginx reverse proxy. I will protect those end points with the proxy then. Thanks for the advice.

Looks like what we need to do is to match “client_id=admin-cli” in the query string, and limit the source IP when matched. It turns out this is not straightforward with nginx.

PS: This is the types of access that should be protected:

curl --silent -X POST 
"${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token" \
       -H "Content-Type: application/x-www-form-urlencoded" \
       -d "client_id=admin-cli" \
      -d "username=admin" \
      -d “password=….." \
      -d 'grant_type=password

Anyway to do this types of protection inside keycloak?