<div dir="ltr">How I handle this issue is by having KeyCloak behind my Apache Reverse proxy. That way, the domain and port of my application and keycloak both are the same so there is no issue.<div><br></div><div>Also not sure why you want to prevent a post because won't you have a use case why an end user can go into the account page that is linked from an application and change their info such as their credentials. I would assume that is a post action on the keycloak account forms.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 10, 2014 at 1:07 AM, Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I reckon request.getHttpMethod should be what's needed<br>
<span class="im HOEnZb"><br>
----- Original Message -----<br>
> From: "Rodrigo Sasaki" <<a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a>><br>
> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
</span><div class="HOEnZb"><div class="h5">> Sent: Thursday, 9 October, 2014 3:54:07 PM<br>
> Subject: Re: [keycloak-user] Link to Account Page<br>
><br>
> JIRA created: <a href="https://issues.jboss.org/browse/KEYCLOAK-746" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-746</a><br>
><br>
> Just out of curiosity, how would that be fixed? A simple test on<br>
> request.getHttpMethod? or with something a little more complex?<br>
><br>
> On Thu, Oct 9, 2014 at 10:33 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>> wrote:<br>
><br>
> > That's a bug, it should only be checking that if it's a post. Can you<br>
> > create a jira please?<br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "Rodrigo Sasaki" <<a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a>><br>
> > > To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > > Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > Sent: Thursday, 9 October, 2014 3:27:12 PM<br>
> > > Subject: Re: [keycloak-user] Link to Account Page<br>
> > ><br>
> > > When I invoke that URL it calles the init() method, inside<br>
> > > AccountService.java and inside that method there is this verification:<br>
> > ><br>
> > > String referrer = headers.getRequestHeaders().getFirst("Referer");<br>
> > > if (referrer != null &&<br>
> > > !requestOrigin.equals(UriUtils.getOrigin(referrer))) {<br>
> > > throw new ForbiddenException();<br>
> > > }<br>
> > ><br>
> > > the referrer is from our server, but the requestOrigin points to the<br>
> > > keycloak server, so they never match<br>
> > ><br>
> > > On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > wrote:<br>
> > ><br>
> > > > You can link to the account page with the following link:<br>
> > > ><br>
> > > > https://<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account<br>
> > > ><br>
> > > > You can also have an option to get a link back to your application by<br>
> > > > adding either referrer or referrer_uri query param:<br>
> > > ><br>
> > > > * referrer - your applications id (this requires "Default Redirect<br>
> > URL" to<br>
> > > > be set for your application)<br>
> > > > * referrer_uri - the uri to return to (this requires referrer_uri to<br>
> > be a<br>
> > > > valid redirect uri for your application)<br>
> > > ><br>
> > > > We do this in the admin console, so you can look at how it works there.<br>
> > > > Login to the admin console, click on your username in the top-right<br>
> > corner,<br>
> > > > and click on 'Manage account'. In the account management there's now<br>
> > in the<br>
> > > > top-right corner 'Back to security-admin-console'. If you try edit the<br>
> > url<br>
> > > > to remove '?referrer=security-admin-console' you'll see this link is no<br>
> > > > longer there.<br>
> > > ><br>
> > > ><br>
> > > > I've got no idea what validation you're talking about that that checks<br>
> > the<br>
> > > > referrer is the same as the server. Maybe it's the fact that for an<br>
> > update<br>
> > > > (post) we only allow a post originating from the Keycloak server? That<br>
> > > > doesn't stop you from linking to the account page, but it stops you<br>
> > from<br>
> > > > posting to it.<br>
> > > ><br>
> > > > ----- Original Message -----<br>
> > > > > From: "Rodrigo Sasaki" <<a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a>><br>
> > > > > To: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > Sent: Wednesday, 8 October, 2014 11:29:17 PM<br>
> > > > > Subject: [keycloak-user] Link to Account Page<br>
> > > > ><br>
> > > > > Hello,<br>
> > > > ><br>
> > > > > I am trying to create a link on our application to go directly to<br>
> > > > Keycloak's<br>
> > > > > Account Page, so the user can alter his information, but it doesn't<br>
> > work.<br>
> > > > ><br>
> > > > > I saw that there is a validation that assures that the referrer is<br>
> > the<br>
> > > > same<br>
> > > > > as the server, for example: I can only access the account app inside<br>
> > my<br>
> > > > > localhost:8080 if the referrer is also in localhost:8080.<br>
> > > > ><br>
> > > > > Is it supposed to be like this? Is there a way for me to create a<br>
> > > > hyperlink<br>
> > > > > from my application directly to Keycloak's Account Page? Given that<br>
> > my<br>
> > > > own<br>
> > > > > application is secured by Keycloak, I think it should be possible.<br>
> > > > ><br>
> > > > > Is this the correct behavior?<br>
> > > > ><br>
> > > > > Thanks again!<br>
> > > > ><br>
> > > > > --<br>
> > > > > Rodrigo Sasaki<br>
> > > > ><br>
> > > > > _______________________________________________<br>
> > > > > keycloak-user mailing list<br>
> > > > > <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> > > ><br>
> > ><br>
> > ><br>
> > ><br>
> > > --<br>
> > > Rodrigo Sasaki<br>
> > ><br>
> ><br>
><br>
><br>
><br>
> --<br>
> Rodrigo Sasaki<br>
><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div></div></blockquote></div><br></div>