You will probably need some kind of HTTP proxy like [mod_auth_openidc](https://github.com/zmartzone/mod_auth_openidc), where you could do something like
```
<Location /user>
AuthType openid-connect
Require claim scope:user
Require claim scope:admin
Require valid-user
</Location>
<Location /admin>
AuthType openid-connect
Require claim scope:admin
OIDCUnAutzAction auth
OIDCPathScope admin
Require valid-user
</Location>
```
And then you'd have to make sure that only the admin users get this scope. This could perhaps be accomplished with a Gluu Server dynamic scope script.
In terms of IP Address, you have the remote IP in the authentication context. See the [allowed country script](https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/allowed_countries/allowed_countries.py).
So the answer is yes... but it will require some creativity, and some knowledge about how to use the Gluu Server interception scripts effectively.
If you test a working solution, please post it here for the communities' benefit!