Trouble with reCAPTCHA

[Pablito]

Hi :

I could use a little help. I've set it up as described in the Server Administration guide, but the recaptcha doesn't show up properly on the Register page.

... and Chrome reports the following in the dev console multiple times :

Unrecognized Content-Security-Policy directive 'https://www.google.com'

Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "frame-src 'self'".

This is my Security Defenses setup :

Am I missing anything?

Thanks,

Pab

[Pablito]

Sorry, didn't realize I couldn't do images.

The register page has a grey box with the unhappy smilley icon in the middle and an empty text field below that.

On Security Defenses tab:

• X-Frame-Options field is set to "ALLOW-FROM https://www.google.com" (no quotes)
• Content-Security-Policy is set to "frame-src 'self'; frame-ancestors 'self'; object-src 'none'; https://www.google.com;" (no quotes)

The remaining fields are still defaults.

[Hannah Short]

Hi Pablo, everyone, 

We are having a similar problem so I wanted to respond to you before posting. 

For you, I think the Keycloak Server Admin docs are wrong, the google.com domain should be included before the semi-colon. 

Our problem is the opposite. We add domains to the frame-ancestors directive (to allow keycloak to be included in iframes at those domains) e.g. “frame-src 'self'; frame-ancestors ‘self’ https://example.com; object-src 'none’;" and suddenly we get a CSP error from other clients “innerHTML: "This page has a content security policy that prevents it from being loaded in this way.”

We have just upgraded to KC11 and am not sure whether the issue was there beforehand.

Thanks for any help!

Hannah

-- 
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/859a0e74-7082-439e-9f55-8dfd791539b0n%40googlegroups.com.

[Pablito]

Thanks Hannah : Your timing couldn't be better. I was returning to this issue just today.

I figured the Google URL on its own couldn't be right, but didn't want to just start guessing. Admittedly, I was unfamiliar with Content-Security-Policy when I posted, but now see the purpose of the frame-src and how to format it. I corrected the Content-Security-Policy to "frame-src 'self' https://www.google.com; frame-ancestors 'self'; object-src 'none'; " (no quotes).

The reCaptcha loaded within the iframe, but contained the message "ERROR for site owner: Invalid key type". When I created our keys, I chose the Version 3 reCaptcha, but suspected at the time that it might not be supported by Keycloak given the documentation image. Suspicion confirmed. I have now created a Version 2 (user clicks) and it loaded correctly. For future readers, I am working with version 11.0.2 of Keycloak (latest as I write this).

I am still having a problem, but I am pretty sure it is due to a network security configuration issue. I will confirm once resolved.

As for your problem, I wish I could help. The only thing that comes to mind is that I assume that the apps which are "iframing" Keycloak would themselves need to include the frame-src directive with a reference to the Keycloak server domain. However, given that it is an upgrade and was working previously, this must already be in place.

Pab