SPI for consistent inbound IP for sessions

dewmera · March 18, 2025, 9:24pm

Hello,

I’m currently trying to satisfy the following STIG - which would restrict users to using a consistent inbound source IP for the entire user session. If the user session IP has changed, the preferred action would be to trigger a logout. While research suggests that Keycloak is not a “traditional” web server, I would like to try and implement this rule. I’ve attempted to create a custom Authentication SPI for this “IP Restriction” rule, but to no luck.

First, does anyone know if this is handled by Keycloak? I could not find any details in the documentation.

Secondly, is what I’m trying to accomplish possible with a Keycloak SPI?

Any help or information on this topic would be greatly appreciated. Thanks.

bpedersen2 · March 19, 2025, 7:39am

You probably could do that by overriding the Cookie authenticator ( that is what handles the keycloak sessions).
But I don’t see how this would really improve anything ( better use a short enough session lifetime + 2FA ) and it would only affect SSO behaviour. Depending on how your downstream services handle auth, logins there would only be affected if they see a need to re-authenticate with keycloak, typically only after their session lifetime expired.
You would also need to implement it in all downstream services that use Keycloak to authenticate.

Topic		Replies	Views
Custom/External Login Flow via Action Token SPI Extending the server	6	6326	April 23, 2022
Migrate to Keycloak with Zero Session Lost Getting advice	0	622	January 20, 2020
Can I overwrite the logout endpoint? Getting advice authentication	12	108	April 23, 2025
Keycloak authenticator spi custom response headers Extending the server	0	1380	February 9, 2021
Get Requesting User from KeycloakSession Getting advice	0	293	March 8, 2023

SPI for consistent inbound IP for sessions

Related topics