This extension adds access control policies to Keycloak, allowing restrictions based on IP based geolocation and auto group membership based on ASN. Geolocation data and ASN is provided though HTTP headers from upstream providers like CloudFlare and CloudFront.
- Geo-Restriction: Enforce authentication restrictions based on the IP address's geography.
- Group Membership (ASN): Automatically add users to a group when logging in from specific ASNs.
| v0.1.x | |
|---|---|
| KC 26.6.x | ✅ |
| KC 26.5.x | ✅ |
✅ - Compatible
➖ - Patch only
☑️ - Not validated
- Download the latest compatible release from the releases page
- Save the downloaded JAR file into the
providers/directory inside Keycloak installation folder - Restart the Keycloak server
- Add the execution (
Restrict Authentication by GeolocationorASN Group Assignment) to the browser flow - Set settings in execution
- Configure execution to required
Users must have a custom multi-value user attribute set. The values in the user attribute must match the values provided by HTTP headers. It is case insensitive.
The target group must be specified with its full path, including leading slash.
By default an info page is shown if the user
(1) authenticates from outside an approved ASN (2) is not already a member of the target group. The text shown is set by the message keys groupAsnTitle and groupAsnInfo.
Keycloak Conditional Access Extension (keycloak-extension-conditional-access / com.hadleyso.keycloak.caccess) is distributed under GNU Affero General Public License v3.0. Copyright (c) 2026 Hadley So.