[keycloak-user] Link to Account Page

Stian Thorgersen stian at redhat.com
Fri Oct 10 03:13:00 EDT 2014 


----- Original Message -----
> From: "Travis De Silva" <traviskds at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>, keycloak-user at lists.jboss.org
> Sent: Friday, 10 October, 2014 5:20:54 AM
> Subject: Re: [keycloak-user] Link to Account Page
> 
> How I handle this issue is by having KeyCloak behind my Apache Reverse
> proxy. That way, the domain and port of my application and keycloak both
> are the same so there is no issue.

That works, but there shouldn't be a requirement that Keycloak is on the same domain as your application.

> 
> Also not sure why you want to prevent a post because won't you have a use
> case why an end user can go into the account page that is linked from an
> application and change their info such as their credentials. I would assume
> that is a post action on the keycloak account forms.

If there's no protection on post, then an external page can create a link that when clicked will change your account (if you're logged-in that is). For example to change your email address so they can then hijack your account.

> 
> On Fri, Oct 10, 2014 at 1:07 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > I reckon request.getHttpMethod should be what's needed
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Thursday, 9 October, 2014 3:54:07 PM
> > > Subject: Re: [keycloak-user] Link to Account Page
> > >
> > > JIRA created: https://issues.jboss.org/browse/KEYCLOAK-746
> > >
> > > Just out of curiosity, how would that be fixed? A simple test on
> > > request.getHttpMethod? or with something a little more complex?
> > >
> > > On Thu, Oct 9, 2014 at 10:33 AM, Stian Thorgersen <stian at redhat.com>
> > wrote:
> > >
> > > > That's a bug, it should only be checking that if it's a post. Can you
> > > > create a jira please?
> > > >
> > > > ----- Original Message -----
> > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > > Cc: keycloak-user at lists.jboss.org
> > > > > Sent: Thursday, 9 October, 2014 3:27:12 PM
> > > > > Subject: Re: [keycloak-user] Link to Account Page
> > > > >
> > > > > When I invoke that URL it calles the init() method, inside
> > > > > AccountService.java and inside that method there is this
> > verification:
> > > > >
> > > > > String referrer = headers.getRequestHeaders().getFirst("Referer");
> > > > > if (referrer != null &&
> > > > > !requestOrigin.equals(UriUtils.getOrigin(referrer))) {
> > > > >     throw new ForbiddenException();
> > > > > }
> > > > >
> > > > > the referrer is from our server, but the requestOrigin points to the
> > > > > keycloak server, so they never match
> > > > >
> > > > > On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <stian at redhat.com>
> > > > wrote:
> > > > >
> > > > > > You can link to the account page with the following link:
> > > > > >
> > > > > >   https://<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account
> > > > > >
> > > > > > You can also have an option to get a link back to your application
> > by
> > > > > > adding either referrer or referrer_uri query param:
> > > > > >
> > > > > > * referrer - your applications id (this requires "Default Redirect
> > > > URL" to
> > > > > > be set for your application)
> > > > > > * referrer_uri - the uri to return to (this requires referrer_uri
> > to
> > > > be a
> > > > > > valid redirect uri for your application)
> > > > > >
> > > > > > We do this in the admin console, so you can look at how it works
> > there.
> > > > > > Login to the admin console, click on your username in the top-right
> > > > corner,
> > > > > > and click on 'Manage account'. In the account management there's
> > now
> > > > in the
> > > > > > top-right corner 'Back to security-admin-console'. If you try edit
> > the
> > > > url
> > > > > > to remove '?referrer=security-admin-console' you'll see this link
> > is no
> > > > > > longer there.
> > > > > >
> > > > > >
> > > > > > I've got no idea what validation you're talking about that that
> > checks
> > > > the
> > > > > > referrer is the same as the server. Maybe it's the fact that for an
> > > > update
> > > > > > (post) we only allow a post originating from the Keycloak server?
> > That
> > > > > > doesn't stop you from linking to the account page, but it stops you
> > > > from
> > > > > > posting to it.
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > > To: keycloak-user at lists.jboss.org
> > > > > > > Sent: Wednesday, 8 October, 2014 11:29:17 PM
> > > > > > > Subject: [keycloak-user] Link to Account Page
> > > > > > >
> > > > > > > Hello,
> > > > > > >
> > > > > > > I am trying to create a link on our application to go directly to
> > > > > > Keycloak's
> > > > > > > Account Page, so the user can alter his information, but it
> > doesn't
> > > > work.
> > > > > > >
> > > > > > > I saw that there is a validation that assures that the referrer
> > is
> > > > the
> > > > > > same
> > > > > > > as the server, for example: I can only access the account app
> > inside
> > > > my
> > > > > > > localhost:8080 if the referrer is also in localhost:8080.
> > > > > > >
> > > > > > > Is it supposed to be like this? Is there a way for me to create a
> > > > > > hyperlink
> > > > > > > from my application directly to Keycloak's Account Page? Given
> > that
> > > > my
> > > > > > own
> > > > > > > application is secured by Keycloak, I think it should be
> > possible.
> > > > > > >
> > > > > > > Is this the correct behavior?
> > > > > > >
> > > > > > > Thanks again!
> > > > > > >
> > > > > > > --
> > > > > > > Rodrigo Sasaki
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > keycloak-user mailing list
> > > > > > > keycloak-user at lists.jboss.org
> > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Rodrigo Sasaki
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Rodrigo Sasaki
> > >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>

More information about the keycloak-user mailing list