Re: [keycloak-user] Link to Account Page

From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-user(a)lists.jboss.org Sent: Thursday, 9 October, 2014 3:27:12 PM Subject: Re: [keycloak-user] Link to Account Page When I invoke that URL it calles the init() method, inside AccountService.java and inside that method there is this verification: String referrer = headers.getRequestHeaders().getFirst("Referer"); if (referrer != null && !requestOrigin.equals(UriUtils.getOrigin(referrer))) { throw new ForbiddenException(); } the referrer is from our server, but the requestOrigin points to the keycloak server, so they never match On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <stian(a)redhat.com&gt; wrote: > You can link to the account page with the following link: > > https://<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account > > You can also have an option to get a link back to your application by > adding either referrer or referrer_uri query param: > > * referrer - your applications id (this requires "Default Redirect URL" to > be set for your application) > * referrer_uri - the uri to return to (this requires referrer_uri to be a > valid redirect uri for your application) > > We do this in the admin console, so you can look at how it works there. > Login to the admin console, click on your username in the top-right corner, > and click on 'Manage account'. In the account management there's now in the > top-right corner 'Back to security-admin-console'. If you try edit the url > to remove '?referrer=security-admin-console' you'll see this link is no > longer there. > > > I've got no idea what validation you're talking about that that checks the > referrer is the same as the server. Maybe it's the fact that for an update > (post) we only allow a post originating from the Keycloak server? That > doesn't stop you from linking to the account page, but it stops you from > posting to it. > > ----- Original Message ----- > > From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com&gt; > > To: keycloak-user(a)lists.jboss.org > > Sent: Wednesday, 8 October, 2014 11:29:17 PM > > Subject: [keycloak-user] Link to Account Page > > > > Hello, > > > > I am trying to create a link on our application to go directly to > Keycloak's > > Account Page, so the user can alter his information, but it doesn't work. > > > > I saw that there is a validation that assures that the referrer is the > same > > as the server, for example: I can only access the account app inside my > > localhost:8080 if the referrer is also in localhost:8080. > > > > Is it supposed to be like this? Is there a way for me to create a > hyperlink > > from my application directly to Keycloak's Account Page? Given that my > own > > application is secured by Keycloak, I think it should be possible. > > > > Is this the correct behavior? > > > > Thanks again! > > > > -- > > Rodrigo Sasaki > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Rodrigo Sasaki