<div dir="ltr">JIRA created: <a href="https://issues.jboss.org/browse/KEYCLOAK-746">https://issues.jboss.org/browse/KEYCLOAK-746</a><div><br></div><div>Just out of curiosity, how would that be fixed? A simple test on request.getHttpMethod? or with something a little more complex?</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 9, 2014 at 10:33 AM, Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">That's a bug, it should only be checking that if it's a post. Can you create a jira please?<br>
<span class="im HOEnZb"><br>
----- Original Message -----<br>
> From: "Rodrigo Sasaki" <<a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a>><br>
</span><div class="HOEnZb"><div class="h5">> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> Sent: Thursday, 9 October, 2014 3:27:12 PM<br>
> Subject: Re: [keycloak-user] Link to Account Page<br>
><br>
> When I invoke that URL it calles the init() method, inside<br>
> AccountService.java and inside that method there is this verification:<br>
><br>
> String referrer = headers.getRequestHeaders().getFirst("Referer");<br>
> if (referrer != null &&<br>
> !requestOrigin.equals(UriUtils.getOrigin(referrer))) {<br>
> throw new ForbiddenException();<br>
> }<br>
><br>
> the referrer is from our server, but the requestOrigin points to the<br>
> keycloak server, so they never match<br>
><br>
> On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>> wrote:<br>
><br>
> > You can link to the account page with the following link:<br>
> ><br>
> > https://<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account<br>
> ><br>
> > You can also have an option to get a link back to your application by<br>
> > adding either referrer or referrer_uri query param:<br>
> ><br>
> > * referrer - your applications id (this requires "Default Redirect URL" to<br>
> > be set for your application)<br>
> > * referrer_uri - the uri to return to (this requires referrer_uri to be a<br>
> > valid redirect uri for your application)<br>
> ><br>
> > We do this in the admin console, so you can look at how it works there.<br>
> > Login to the admin console, click on your username in the top-right corner,<br>
> > and click on 'Manage account'. In the account management there's now in the<br>
> > top-right corner 'Back to security-admin-console'. If you try edit the url<br>
> > to remove '?referrer=security-admin-console' you'll see this link is no<br>
> > longer there.<br>
> ><br>
> ><br>
> > I've got no idea what validation you're talking about that that checks the<br>
> > referrer is the same as the server. Maybe it's the fact that for an update<br>
> > (post) we only allow a post originating from the Keycloak server? That<br>
> > doesn't stop you from linking to the account page, but it stops you from<br>
> > posting to it.<br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "Rodrigo Sasaki" <<a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a>><br>
> > > To: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > Sent: Wednesday, 8 October, 2014 11:29:17 PM<br>
> > > Subject: [keycloak-user] Link to Account Page<br>
> > ><br>
> > > Hello,<br>
> > ><br>
> > > I am trying to create a link on our application to go directly to<br>
> > Keycloak's<br>
> > > Account Page, so the user can alter his information, but it doesn't work.<br>
> > ><br>
> > > I saw that there is a validation that assures that the referrer is the<br>
> > same<br>
> > > as the server, for example: I can only access the account app inside my<br>
> > > localhost:8080 if the referrer is also in localhost:8080.<br>
> > ><br>
> > > Is it supposed to be like this? Is there a way for me to create a<br>
> > hyperlink<br>
> > > from my application directly to Keycloak's Account Page? Given that my<br>
> > own<br>
> > > application is secured by Keycloak, I think it should be possible.<br>
> > ><br>
> > > Is this the correct behavior?<br>
> > ><br>
> > > Thanks again!<br>
> > ><br>
> > > --<br>
> > > Rodrigo Sasaki<br>
> > ><br>
> > > _______________________________________________<br>
> > > keycloak-user mailing list<br>
> > > <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> ><br>
><br>
><br>
><br>
> --<br>
> Rodrigo Sasaki<br>
><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><font face="Times New Roman">Rodrigo Sasaki</font><div></div></div>
</div>