From 5ed864fbbc854542972620bb16c4e47f3b6aae20 Mon Sep 17 00:00:00 2001
From: Stian Thorgersen <stianst@gmail.com>
Date: Tue, 21 Apr 2015 10:42:13 +0200
Subject: [PATCH] KEYCLOAK-1208 Allow same-origin if cors is enabled

---
 .../org/keycloak/adapters/AuthenticatedActionsHandler.java    | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/integration/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java b/integration/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java
index fcbf1fecdd..98bc5ccdb0 100755
--- a/integration/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java
+++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java
@@ -4,6 +4,7 @@ import org.jboss.logging.Logger;
 import org.keycloak.KeycloakSecurityContext;
 import org.keycloak.constants.AdapterConstants;
 import org.keycloak.representations.AccessToken;
+import org.keycloak.util.UriUtils;
 
 import java.io.IOException;
 import java.util.Set;
@@ -78,8 +79,9 @@ public class AuthenticatedActionsHandler {
         if (!deployment.isCors()) return false;
         KeycloakSecurityContext securityContext = facade.getSecurityContext();
         String origin = facade.getRequest().getHeader(CorsHeaders.ORIGIN);
+        String requestOrigin = UriUtils.getOrigin(facade.getRequest().getURI());
         log.debugv("Origin: {0} uri: {1}", origin, facade.getRequest().getURI());
-        if (securityContext != null && origin != null) {
+        if (securityContext != null && origin != null && !origin.equals(requestOrigin)) {
             AccessToken token = securityContext.getToken();
             Set<String> allowedOrigins = token.getAllowedOrigins();
             if (log.isDebugEnabled()) {