<div dir="ltr">When I invoke that URL it calles the <font face="courier new, monospace">init()</font> method, inside <font face="courier new, monospace">AccountService.java</font> and inside that method there is this verification:<div><br></div><div><div><font face="courier new, monospace">String referrer = <font color="#000000">headers</font>.getRequestHeaders().getFirst("Referer");</font></div><div><font face="courier new, monospace">if (referrer != null && !requestOrigin.equals(UriUtils.getOrigin(referrer))) {</font></div><div><font face="courier new, monospace"> throw new ForbiddenException();</font></div><div><font face="courier new, monospace">}</font></div></div><div><br></div><div>the referrer is from our server, but the requestOrigin points to the keycloak server, so they never match</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">You can link to the account page with the following link:<br>
<br>
https://<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account<br>
<br>
You can also have an option to get a link back to your application by adding either referrer or referrer_uri query param:<br>
<br>
* referrer - your applications id (this requires "Default Redirect URL" to be set for your application)<br>
* referrer_uri - the uri to return to (this requires referrer_uri to be a valid redirect uri for your application)<br>
<br>
We do this in the admin console, so you can look at how it works there. Login to the admin console, click on your username in the top-right corner, and click on 'Manage account'. In the account management there's now in the top-right corner 'Back to security-admin-console'. If you try edit the url to remove '?referrer=security-admin-console' you'll see this link is no longer there.<br>
<br>
<br>
I've got no idea what validation you're talking about that that checks the referrer is the same as the server. Maybe it's the fact that for an update (post) we only allow a post originating from the Keycloak server? That doesn't stop you from linking to the account page, but it stops you from posting to it.<br>
<div><div class="h5"><br>
----- Original Message -----<br>
> From: "Rodrigo Sasaki" <<a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a>><br>
> To: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> Sent: Wednesday, 8 October, 2014 11:29:17 PM<br>
> Subject: [keycloak-user] Link to Account Page<br>
><br>
> Hello,<br>
><br>
> I am trying to create a link on our application to go directly to Keycloak's<br>
> Account Page, so the user can alter his information, but it doesn't work.<br>
><br>
> I saw that there is a validation that assures that the referrer is the same<br>
> as the server, for example: I can only access the account app inside my<br>
> localhost:8080 if the referrer is also in localhost:8080.<br>
><br>
> Is it supposed to be like this? Is there a way for me to create a hyperlink<br>
> from my application directly to Keycloak's Account Page? Given that my own<br>
> application is secured by Keycloak, I think it should be possible.<br>
><br>
> Is this the correct behavior?<br>
><br>
> Thanks again!<br>
><br>
> --<br>
> Rodrigo Sasaki<br>
><br>
</div></div>> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><font face="Times New Roman">Rodrigo Sasaki</font><div></div></div>
</div>