8:27 a.m.
When I invoke that URL it calles the init() method, inside
AccountService.java and inside that method there is this verification:
String referrer = headers.getRequestHeaders().getFirst("Referer");
if (referrer != null &&
!requestOrigin.equals(UriUtils.getOrigin(referrer))) {
throw new ForbiddenException();
}
the referrer is from our server, but the requestOrigin points to the
keycloak server, so they never match
On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
You can link to the account page with the following link:
https://<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account
You can also have an option to get a link back to your application by
adding either referrer or referrer_uri query param:
* referrer - your applications id (this requires "Default Redirect URL" to
be set for your application)
* referrer_uri - the uri to return to (this requires referrer_uri to be a
valid redirect uri for your application)
We do this in the admin console, so you can look at how it works there.
Login to the admin console, click on your username in the top-right corner,
and click on 'Manage account'. In the account management there's now in the
top-right corner 'Back to security-admin-console'. If you try edit the url
to remove '?referrer=security-admin-console' you'll see this link is no
longer there.
I've got no idea what validation you're talking about that that checks the
referrer is the same as the server. Maybe it's the fact that for an update
(post) we only allow a post originating from the Keycloak server? That
doesn't stop you from linking to the account page, but it stops you from
posting to it.
----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Wednesday, 8 October, 2014 11:29:17 PM
> Subject: [keycloak-user] Link to Account Page
>
> Hello,
>
> I am trying to create a link on our application to go directly to
Keycloak's
> Account Page, so the user can alter his information, but it doesn't work.
>
> I saw that there is a validation that assures that the referrer is the
same
> as the server, for example: I can only access the account app inside my
> localhost:8080 if the referrer is also in localhost:8080.
>
> Is it supposed to be like this? Is there a way for me to create a
hyperlink
> from my application directly to Keycloak's Account Page? Given that my
own
> application is secured by Keycloak, I think it should be possible.
>
> Is this the correct behavior?
>
> Thanks again!
>
> --
> Rodrigo Sasaki
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Rodrigo Sasaki