This is what actually I am going. A link on my app when clicked with take
the user to the account mgmt pages themselves where they can post and then
using the return to app link on the top right hand, they can get back to my
app. I think I misunderstood when you said you cannot post. What you are
saying is if we are in the account mgmt page itself, then we can post.
That clears the confusion I had. Thanks Stian.
On Fri, Oct 10, 2014 at 11:47 PM, Stian Thorgersen <stian(a)redhat.com> wrote:
----- Original Message -----
> From: "Travis De Silva" <traviskds(a)gmail.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com>,
keycloak-user(a)lists.jboss.org
> Sent: Friday, 10 October, 2014 2:39:31 PM
> Subject: Re: [keycloak-user] Link to Account Page
>
> with regard to protection on post, then what is the point of having the
> link on our application if the user cannot use the self serve
functionality
> by changing their account details themselves? We would need this to be
> seamless for the end user right?
The application is allowed to link to a page on the account management.
This will be a GET with Referer set to the application url. After that
posting the form works just fine, as the Referer is now the account
management page, not the app.
Basically, an application can link, but not post. Post can only be done
from the account management pages themselves.
>
> To protect the post in use cases such as what you described, shouldn't we
> just check the referrer in the request with the permitted redirect_url's
> for the application and then allow post based on that?
>
> On Fri, Oct 10, 2014 at 6:13 PM, Stian Thorgersen <stian(a)redhat.com>
wrote:
>
> >
> >
> > ----- Original Message -----
> > > From: "Travis De Silva" <traviskds(a)gmail.com>
> > > To: "Stian Thorgersen" <stian(a)redhat.com>
> > > Cc: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com>,
> > keycloak-user(a)lists.jboss.org
> > > Sent: Friday, 10 October, 2014 5:20:54 AM
> > > Subject: Re: [keycloak-user] Link to Account Page
> > >
> > > How I handle this issue is by having KeyCloak behind my Apache
Reverse
> > > proxy. That way, the domain and port of my application and keycloak
both
> > > are the same so there is no issue.
> >
> > That works, but there shouldn't be a requirement that Keycloak is on
the
> > same domain as your application.
> >
> > >
> > > Also not sure why you want to prevent a post because won't you have
a use
> > > case why an end user can go into the account page that is linked
from an
> > > application and change their info such as their credentials. I would
> > assume
> > > that is a post action on the keycloak account forms.
> >
> > If there's no protection on post, then an external page can create a
link
> > that when clicked will change your account (if you're logged-in that
is).
> > For example to change your email address so they can then hijack your
> > account.
> >
> > >
> > > On Fri, Oct 10, 2014 at 1:07 AM, Stian Thorgersen
<stian(a)redhat.com>
> > wrote:
> > >
> > > > I reckon request.getHttpMethod should be what's needed
> > > >
> > > > ----- Original Message -----
> > > > > From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
> > > > > To: "Stian Thorgersen" <stian(a)redhat.com>
> > > > > Cc: keycloak-user(a)lists.jboss.org
> > > > > Sent: Thursday, 9 October, 2014 3:54:07 PM
> > > > > Subject: Re: [keycloak-user] Link to Account Page
> > > > >
> > > > > JIRA created:
https://issues.jboss.org/browse/KEYCLOAK-746
> > > > >
> > > > > Just out of curiosity, how would that be fixed? A simple test
on
> > > > > request.getHttpMethod? or with something a little more complex?
> > > > >
> > > > > On Thu, Oct 9, 2014 at 10:33 AM, Stian Thorgersen <
stian(a)redhat.com>
> > > > wrote:
> > > > >
> > > > > > That's a bug, it should only be checking that if
it's a post.
Can
> > you
> > > > > > create a jira please?
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > > From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
> > > > > > > To: "Stian Thorgersen"
<stian(a)redhat.com>
> > > > > > > Cc: keycloak-user(a)lists.jboss.org
> > > > > > > Sent: Thursday, 9 October, 2014 3:27:12 PM
> > > > > > > Subject: Re: [keycloak-user] Link to Account Page
> > > > > > >
> > > > > > > When I invoke that URL it calles the init() method,
inside
> > > > > > > AccountService.java and inside that method there is
this
> > > > verification:
> > > > > > >
> > > > > > > String referrer =
> > headers.getRequestHeaders().getFirst("Referer");
> > > > > > > if (referrer != null &&
> > > > > > > !requestOrigin.equals(UriUtils.getOrigin(referrer)))
{
> > > > > > > throw new ForbiddenException();
> > > > > > > }
> > > > > > >
> > > > > > > the referrer is from our server, but the
requestOrigin
points to
> > the
> > > > > > > keycloak server, so they never match
> > > > > > >
> > > > > > > On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <
> > stian(a)redhat.com>
> > > > > > wrote:
> > > > > > >
> > > > > > > > You can link to the account page with the
following link:
> > > > > > > >
> > > > > > > > https://<KEYCLOAK
SERVER>/auth/realms/<REALM
NAME>/account
> > > > > > > >
> > > > > > > > You can also have an option to get a link back to
your
> > application
> > > > by
> > > > > > > > adding either referrer or referrer_uri query
param:
> > > > > > > >
> > > > > > > > * referrer - your applications id (this requires
"Default
> > Redirect
> > > > > > URL" to
> > > > > > > > be set for your application)
> > > > > > > > * referrer_uri - the uri to return to (this
requires
> > referrer_uri
> > > > to
> > > > > > be a
> > > > > > > > valid redirect uri for your application)
> > > > > > > >
> > > > > > > > We do this in the admin console, so you can look
at how it
> > works
> > > > there.
> > > > > > > > Login to the admin console, click on your
username in the
> > top-right
> > > > > > corner,
> > > > > > > > and click on 'Manage account'. In the
account management
> > there's
> > > > now
> > > > > > in the
> > > > > > > > top-right corner 'Back to
security-admin-console'. If you
try
> > edit
> > > > the
> > > > > > url
> > > > > > > > to remove
'?referrer=security-admin-console' you'll see
this
> > link
> > > > is no
> > > > > > > > longer there.
> > > > > > > >
> > > > > > > >
> > > > > > > > I've got no idea what validation you're
talking about that
that
> > > > checks
> > > > > > the
> > > > > > > > referrer is the same as the server. Maybe
it's the fact
that
> > for an
> > > > > > update
> > > > > > > > (post) we only allow a post originating from the
Keycloak
> > server?
> > > > That
> > > > > > > > doesn't stop you from linking to the account
page, but it
> > stops you
> > > > > > from
> > > > > > > > posting to it.
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > > From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
> > > > > > > > > To: keycloak-user(a)lists.jboss.org
> > > > > > > > > Sent: Wednesday, 8 October, 2014 11:29:17
PM
> > > > > > > > > Subject: [keycloak-user] Link to Account
Page
> > > > > > > > >
> > > > > > > > > Hello,
> > > > > > > > >
> > > > > > > > > I am trying to create a link on our
application to go
> > directly to
> > > > > > > > Keycloak's
> > > > > > > > > Account Page, so the user can alter his
information, but
it
> > > > doesn't
> > > > > > work.
> > > > > > > > >
> > > > > > > > > I saw that there is a validation that
assures that the
> > referrer
> > > > is
> > > > > > the
> > > > > > > > same
> > > > > > > > > as the server, for example: I can only
access the
account app
> > > > inside
> > > > > > my
> > > > > > > > > localhost:8080 if the referrer is also in
localhost:8080.
> > > > > > > > >
> > > > > > > > > Is it supposed to be like this? Is there a
way for me to
> > create a
> > > > > > > > hyperlink
> > > > > > > > > from my application directly to
Keycloak's Account Page?
> > Given
> > > > that
> > > > > > my
> > > > > > > > own
> > > > > > > > > application is secured by Keycloak, I think
it should be
> > > > possible.
> > > > > > > > >
> > > > > > > > > Is this the correct behavior?
> > > > > > > > >
> > > > > > > > > Thanks again!
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Rodrigo Sasaki
> > > > > > > > >
> > > > > > > > >
_______________________________________________
> > > > > > > > > keycloak-user mailing list
> > > > > > > > > keycloak-user(a)lists.jboss.org
> > > > > > > > >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Rodrigo Sasaki
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Rodrigo Sasaki
> > > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user(a)lists.jboss.org
> > > >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > >
> >
>