with regard to protection on post, then what is the point of having the
link on our application if the user cannot use the self serve functionality
by changing their account details themselves? We would need this to be
seamless for the end user right?
To protect the post in use cases such as what you described, shouldn't we
just check the referrer in the request with the permitted redirect_url's
for the application and then allow post based on that?
On Fri, Oct 10, 2014 at 6:13 PM, Stian Thorgersen <stian(a)redhat.com> wrote:
----- Original Message -----
> From: "Travis De Silva" <traviskds(a)gmail.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com>,
keycloak-user(a)lists.jboss.org
> Sent: Friday, 10 October, 2014 5:20:54 AM
> Subject: Re: [keycloak-user] Link to Account Page
>
> How I handle this issue is by having KeyCloak behind my Apache Reverse
> proxy. That way, the domain and port of my application and keycloak both
> are the same so there is no issue.
That works, but there shouldn't be a requirement that Keycloak is on the
same domain as your application.
>
> Also not sure why you want to prevent a post because won't you have a use
> case why an end user can go into the account page that is linked from an
> application and change their info such as their credentials. I would
assume
> that is a post action on the keycloak account forms.
If there's no protection on post, then an external page can create a link
that when clicked will change your account (if you're logged-in that is).
For example to change your email address so they can then hijack your
account.
>
> On Fri, Oct 10, 2014 at 1:07 AM, Stian Thorgersen <stian(a)redhat.com>
wrote:
>
> > I reckon request.getHttpMethod should be what's needed
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com>
> > > To: "Stian Thorgersen" <stian(a)redhat.com>
> > > Cc: keycloak-user(a)lists.jboss.org
> > > Sent: Thursday, 9 October, 2014 3:54:07 PM
> > > Subject: Re: [keycloak-user] Link to Account Page
> > >
> > > JIRA created:
https://issues.jboss.org/browse/KEYCLOAK-746
> > >
> > > Just out of curiosity, how would that be fixed? A simple test on
> > > request.getHttpMethod? or with something a little more complex?
> > >
> > > On Thu, Oct 9, 2014 at 10:33 AM, Stian Thorgersen
<stian(a)redhat.com>
> > wrote:
> > >
> > > > That's a bug, it should only be checking that if it's a post.
Can
you
> > > > create a jira please?
> > > >
> > > > ----- Original Message -----
> > > > > From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
> > > > > To: "Stian Thorgersen" <stian(a)redhat.com>
> > > > > Cc: keycloak-user(a)lists.jboss.org
> > > > > Sent: Thursday, 9 October, 2014 3:27:12 PM
> > > > > Subject: Re: [keycloak-user] Link to Account Page
> > > > >
> > > > > When I invoke that URL it calles the init() method, inside
> > > > > AccountService.java and inside that method there is this
> > verification:
> > > > >
> > > > > String referrer =
headers.getRequestHeaders().getFirst("Referer");
> > > > > if (referrer != null &&
> > > > > !requestOrigin.equals(UriUtils.getOrigin(referrer))) {
> > > > > throw new ForbiddenException();
> > > > > }
> > > > >
> > > > > the referrer is from our server, but the requestOrigin points
to
the
> > > > > keycloak server, so they never match
> > > > >
> > > > > On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <
stian(a)redhat.com>
> > > > wrote:
> > > > >
> > > > > > You can link to the account page with the following link:
> > > > > >
> > > > > > https://<KEYCLOAK SERVER>/auth/realms/<REALM
NAME>/account
> > > > > >
> > > > > > You can also have an option to get a link back to your
application
> > by
> > > > > > adding either referrer or referrer_uri query param:
> > > > > >
> > > > > > * referrer - your applications id (this requires
"Default
Redirect
> > > > URL" to
> > > > > > be set for your application)
> > > > > > * referrer_uri - the uri to return to (this requires
referrer_uri
> > to
> > > > be a
> > > > > > valid redirect uri for your application)
> > > > > >
> > > > > > We do this in the admin console, so you can look at how it
works
> > there.
> > > > > > Login to the admin console, click on your username in the
top-right
> > > > corner,
> > > > > > and click on 'Manage account'. In the account
management
there's
> > now
> > > > in the
> > > > > > top-right corner 'Back to security-admin-console'.
If you try
edit
> > the
> > > > url
> > > > > > to remove '?referrer=security-admin-console'
you'll see this
link
> > is no
> > > > > > longer there.
> > > > > >
> > > > > >
> > > > > > I've got no idea what validation you're talking
about that that
> > checks
> > > > the
> > > > > > referrer is the same as the server. Maybe it's the fact
that
for an
> > > > update
> > > > > > (post) we only allow a post originating from the Keycloak
server?
> > That
> > > > > > doesn't stop you from linking to the account page, but
it
stops you
> > > > from
> > > > > > posting to it.
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > > From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
> > > > > > > To: keycloak-user(a)lists.jboss.org
> > > > > > > Sent: Wednesday, 8 October, 2014 11:29:17 PM
> > > > > > > Subject: [keycloak-user] Link to Account Page
> > > > > > >
> > > > > > > Hello,
> > > > > > >
> > > > > > > I am trying to create a link on our application to go
directly to
> > > > > > Keycloak's
> > > > > > > Account Page, so the user can alter his information,
but it
> > doesn't
> > > > work.
> > > > > > >
> > > > > > > I saw that there is a validation that assures that
the
referrer
> > is
> > > > the
> > > > > > same
> > > > > > > as the server, for example: I can only access the
account app
> > inside
> > > > my
> > > > > > > localhost:8080 if the referrer is also in
localhost:8080.
> > > > > > >
> > > > > > > Is it supposed to be like this? Is there a way for me
to
create a
> > > > > > hyperlink
> > > > > > > from my application directly to Keycloak's Account
Page?
Given
> > that
> > > > my
> > > > > > own
> > > > > > > application is secured by Keycloak, I think it should
be
> > possible.
> > > > > > >
> > > > > > > Is this the correct behavior?
> > > > > > >
> > > > > > > Thanks again!
> > > > > > >
> > > > > > > --
> > > > > > > Rodrigo Sasaki
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > keycloak-user mailing list
> > > > > > > keycloak-user(a)lists.jboss.org
> > > > > > >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Rodrigo Sasaki
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Rodrigo Sasaki
> > >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>