Using Recaptcha on the login page
1,274 views
Skip to first unread message
Simon.L...@eventim.de
Feb 11, 2021, 7:30:59 AM2/11/21
to keyclo...@googlegroups.com
Hello list,
I realize there's already a few topics regarding this, but we haven't quite been able to make the proposed solutions work reliably. The solution we are adapting to make this work is
https://github.com/raptor-group/keycloak-login-recaptcha
Unfortunately, the solution uses a singleton instance of the RecaptchaUsernamePasswordForm - which tracks the actual configuration of the captcha (site key, site secret, and in our case, a third config key, whether to actually display/validate the captcha). This can lead to rather hard to debug race conditions when different realms (or even different clients within the same realm) actually have different site secrets and site keys, and they all manipulate the instance which has global state.
It looks like the only way to get a reference to the configuration of the Form is via the AuthenticationFlowContext. However, this context is only available in authenticate(...) and action(...), but not in createLoginForm(...), where it would be required. Ideally, the factory's create(...) method would expose the configuration, so that it can be passed to the constructor of the Form. But unlike some other Factories, which accept a ComponentModel argument, it does not seem like this one does, and so we cannot pass the configuration to the model.
Ideally, it should be possible to create a FormAction that handles the captcha, and add this to the Login flow, rather than attempting to extend the functionality of the existing UsernamePasswordForm. This is how it is implemented in the case of the registration form, but we haven't been able to reproduce this kind of handling for Login form.
Is there a good solution for this that avoids global state tracking via singletons like this?
--
Simon Levermann
Software Development Expert Cross Product Services
simon.l...@eventim.de | www.eventim.de <http://www.eventim.de>
CTS EVENTIM Solutions GmbH | Contrescarpe 75A | D- 28195 Bremen
Verwaltungsanschrift: Contrescarpe 75A– D- 28195 Bremen // Geschäftsführer: Alexander Ruoff, Christoph Bodi
Sitz: Bremen, HRB 19598 – Ust.-ID Nr.: DE 211161916
I realize there's already a few topics regarding this, but we haven't quite been able to make the proposed solutions work reliably. The solution we are adapting to make this work is
https://github.com/raptor-group/keycloak-login-recaptcha
Unfortunately, the solution uses a singleton instance of the RecaptchaUsernamePasswordForm - which tracks the actual configuration of the captcha (site key, site secret, and in our case, a third config key, whether to actually display/validate the captcha). This can lead to rather hard to debug race conditions when different realms (or even different clients within the same realm) actually have different site secrets and site keys, and they all manipulate the instance which has global state.
It looks like the only way to get a reference to the configuration of the Form is via the AuthenticationFlowContext. However, this context is only available in authenticate(...) and action(...), but not in createLoginForm(...), where it would be required. Ideally, the factory's create(...) method would expose the configuration, so that it can be passed to the constructor of the Form. But unlike some other Factories, which accept a ComponentModel argument, it does not seem like this one does, and so we cannot pass the configuration to the model.
Ideally, it should be possible to create a FormAction that handles the captcha, and add this to the Login flow, rather than attempting to extend the functionality of the existing UsernamePasswordForm. This is how it is implemented in the case of the registration form, but we haven't been able to reproduce this kind of handling for Login form.
Is there a good solution for this that avoids global state tracking via singletons like this?
--
Simon Levermann
Software Development Expert Cross Product Services
simon.l...@eventim.de | www.eventim.de <http://www.eventim.de>
CTS EVENTIM Solutions GmbH | Contrescarpe 75A | D- 28195 Bremen
Verwaltungsanschrift: Contrescarpe 75A– D- 28195 Bremen // Geschäftsführer: Alexander Ruoff, Christoph Bodi
Sitz: Bremen, HRB 19598 – Ust.-ID Nr.: DE 211161916
Thomas Darimont
Feb 11, 2021, 10:22:44 AM2/11/21
to Simon.L...@eventim.de, Keycloak User
Hello Simon,
this should do the trick: https://github.com/thomasdarimont/keycloak-login-recaptcha/tree/poc/refactor-site-key-usage
Cheers,
Thomas
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/DC95310C-3B6C-4D64-AB5E-32942CA432D3%40eventim.de.
Simon.L...@eventim.de
Feb 12, 2021, 2:53:39 AM2/12/21
to thomas....@googlemail.com, keyclo...@googlegroups.com
Hi Thomas,
indeed, moving the code from createLoginForm to challenge instead did the trick. Thank you!
Best regards,
Simon
From: Thomas Darimont <thomas....@googlemail.com>
Date: Thursday, 11. February 2021 at 16:22
To: "Levermann, Simon" <Simon.L...@eventim.de>
Cc: Keycloak User <keyclo...@googlegroups.com>
Subject: [SPAM] Re: [keycloak-user] Using Recaptcha on the login page
EXTERNAL
Reply all
Reply to author
Forward
0 new messages