You will probably need some kind of HTTP proxy like [mod_auth_openidc](https://github.com/zmartzone/mod_auth_openidc), where you could do something like ``` <Location /user> AuthType openid-connect Require claim scope:user Require claim scope:admin Require valid-user </Location> <Location /admin> AuthType openid-connect Require claim scope:admin OIDCUnAutzAction auth OIDCPathScope admin Require valid-user </Location> ``` And then you'd have to make sure that only the admin users get this scope. This could perhaps be accomplished with a Gluu Server dynamic scope script. In terms of IP Address, you have the remote IP in the authentication context. See the [allowed country script](https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/allowed_countries/allowed_countries.py). So the answer is yes... but it will require some creativity, and some knowledge about how to use the Gluu Server interception scripts effectively. If you test a working solution, please post it here for the communities' benefit!

From what I understand, this seems like something that is to be implemented at the web-server level, but I'll need to trade-off the fact that a hacker could steal and successfully obtain an access token, but my web-server will not allow since they are not using the correct IP. It is a bit of a trade-off because I had isolated admin resources from other user resources, and that included the login.

First of all, SSO does not work with an access token--it uses the session cookie in the browser. Second, the Authorization Server is not in the web flow. To enforce policies on web sites, you need something that is between the browser and the web site you are protecting. An IDP or OAuth Authorization server is not what you think. You may want to read my book [Securing the Perimeter](https://gluu.co/book)