[keycloak-user] Link to Account Page

Rodrigo Sasaki rodrigopsasaki at gmail.com
Thu Oct 9 09:27:12 EDT 2014


When I invoke that URL it calles the init() method, inside
AccountService.java and inside that method there is this verification:

String referrer = headers.getRequestHeaders().getFirst("Referer");
if (referrer != null &&
!requestOrigin.equals(UriUtils.getOrigin(referrer))) {
    throw new ForbiddenException();
}

the referrer is from our server, but the requestOrigin points to the
keycloak server, so they never match

On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <stian at redhat.com> wrote:

> You can link to the account page with the following link:
>
>   https://<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account
>
> You can also have an option to get a link back to your application by
> adding either referrer or referrer_uri query param:
>
> * referrer - your applications id (this requires "Default Redirect URL" to
> be set for your application)
> * referrer_uri - the uri to return to (this requires referrer_uri to be a
> valid redirect uri for your application)
>
> We do this in the admin console, so you can look at how it works there.
> Login to the admin console, click on your username in the top-right corner,
> and click on 'Manage account'. In the account management there's now in the
> top-right corner 'Back to security-admin-console'. If you try edit the url
> to remove '?referrer=security-admin-console' you'll see this link is no
> longer there.
>
>
> I've got no idea what validation you're talking about that that checks the
> referrer is the same as the server. Maybe it's the fact that for an update
> (post) we only allow a post originating from the Keycloak server? That
> doesn't stop you from linking to the account page, but it stops you from
> posting to it.
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Wednesday, 8 October, 2014 11:29:17 PM
> > Subject: [keycloak-user] Link to Account Page
> >
> > Hello,
> >
> > I am trying to create a link on our application to go directly to
> Keycloak's
> > Account Page, so the user can alter his information, but it doesn't work.
> >
> > I saw that there is a validation that assures that the referrer is the
> same
> > as the server, for example: I can only access the account app inside my
> > localhost:8080 if the referrer is also in localhost:8080.
> >
> > Is it supposed to be like this? Is there a way for me to create a
> hyperlink
> > from my application directly to Keycloak's Account Page? Given that my
> own
> > application is secured by Keycloak, I think it should be possible.
> >
> > Is this the correct behavior?
> >
> > Thanks again!
> >
> > --
> > Rodrigo Sasaki
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141009/b537a140/attachment.html 


More information about the keycloak-user mailing list