Re: [keycloak-user] Link to Account Page

From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-user(a)lists.jboss.org Sent: Thursday, 9 October, 2014 3:54:07 PM Subject: Re: [keycloak-user] Link to Account Page JIRA created: https://issues.jboss.org/browse/KEYCLOAK-746 Just out of curiosity, how would that be fixed? A simple test on request.getHttpMethod? or with something a little more complex? On Thu, Oct 9, 2014 at 10:33 AM, Stian Thorgersen <stian(a)redhat.com&gt; wrote: > That's a bug, it should only be checking that if it's a post. Can you > create a jira please? > > ----- Original Message ----- > > From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com&gt; > > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > > Cc: keycloak-user(a)lists.jboss.org > > Sent: Thursday, 9 October, 2014 3:27:12 PM > > Subject: Re: [keycloak-user] Link to Account Page > > > > When I invoke that URL it calles the init() method, inside > > AccountService.java and inside that method there is this verification: > > > > String referrer = headers.getRequestHeaders().getFirst("Referer"); > > if (referrer != null && > > !requestOrigin.equals(UriUtils.getOrigin(referrer))) { > > throw new ForbiddenException(); > > } > > > > the referrer is from our server, but the requestOrigin points to the > > keycloak server, so they never match > > > > On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <stian(a)redhat.com&gt; > wrote: > > > > > You can link to the account page with the following link: > > > > > > https://<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account > > > > > > You can also have an option to get a link back to your application by > > > adding either referrer or referrer_uri query param: > > > > > > * referrer - your applications id (this requires "Default Redirect > URL" to > > > be set for your application) > > > * referrer_uri - the uri to return to (this requires referrer_uri to > be a > > > valid redirect uri for your application) > > > > > > We do this in the admin console, so you can look at how it works there. > > > Login to the admin console, click on your username in the top-right > corner, > > > and click on 'Manage account'. In the account management there's now > in the > > > top-right corner 'Back to security-admin-console'. If you try edit the > url > > > to remove '?referrer=security-admin-console' you'll see this link is no > > > longer there. > > > > > > > > > I've got no idea what validation you're talking about that that checks > the > > > referrer is the same as the server. Maybe it's the fact that for an > update > > > (post) we only allow a post originating from the Keycloak server? That > > > doesn't stop you from linking to the account page, but it stops you > from > > > posting to it. > > > > > > ----- Original Message ----- > > > > From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com&gt; > > > > To: keycloak-user(a)lists.jboss.org > > > > Sent: Wednesday, 8 October, 2014 11:29:17 PM > > > > Subject: [keycloak-user] Link to Account Page > > > > > > > > Hello, > > > > > > > > I am trying to create a link on our application to go directly to > > > Keycloak's > > > > Account Page, so the user can alter his information, but it doesn't > work. > > > > > > > > I saw that there is a validation that assures that the referrer is > the > > > same > > > > as the server, for example: I can only access the account app inside > my > > > > localhost:8080 if the referrer is also in localhost:8080. > > > > > > > > Is it supposed to be like this? Is there a way for me to create a > > > hyperlink > > > > from my application directly to Keycloak's Account Page? Given that > my > > > own > > > > application is secured by Keycloak, I think it should be possible. > > > > > > > > Is this the correct behavior? > > > > > > > > Thanks again! > > > > > > > > -- > > > > Rodrigo Sasaki > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user(a)lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > -- > > Rodrigo Sasaki > > > -- Rodrigo Sasaki