Thanks. I had hard time figuring how IPv6 matching was done but it's OK now. (for the record, it looks like all fields of an IPv6 address must be listed : '2001:db8:0:0:0:0:0:0/32 allow' is OK but not '2001:db8::/32 allow') -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager De: "Sebastian Laskawiec" <slaskawi(a)redhat.com&gt; À: "Ionel GARDAIS" <ionel.gardais(a)tech-advantage.com&gt; Cc: "keycloak-user" <keycloak-user(a)lists.jboss.org&gt; Envoyé: Lundi 17 Septembre 2018 09:15:31 Objet: Re: [keycloak-user] Securing keycloak This documentation piece should do exactly what you want: [ https://www.keycloak.org/docs/latest/server_admin/index.html#ip-restriction | https://www.keycloak.org/docs/latest/server_admin/index.html#ip-restriction ] On Sun, Sep 16, 2018 at 10:25 AM GARDAIS Ionel < [ mailto:ionel.gardais@tech-advantage.com | ionel.gardais(a)tech-advantage.com ] > wrote: Hi list, Beside /auth/admin, are there any other URI that should be secured/restricted to limit attack surface for a public facing keycloak ? By the way, could it be useful to add a dedicated configuration entry directly inside keycloak to restrict IPs allowed to make to low-level actions ? Thanks, Ionel -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301_______________________________________________ keycloak-user mailing list [ mailto:keycloak-user@lists.jboss.org | keycloak-user(a)lists.jboss.org ] [ https://lists.jboss.org/mailman/listinfo/keycloak-user | https://lists.jboss.org/mailman/listinfo/keycloak-user ] -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301