KOBIL Captcha
Overview
The main task of this authenticator is to enhance security by distinguishing between genuine users and automated bots. This feature helps prevent abuse such as bot-driven attacks, spam submissions, and unauthorized access, ensuring that only human users can complete the authentication process.
Type
| Protocol | OpenID Connect 1.0 |
|---|---|
| HTTP method | GET |
| Type | Browser Flow |
| Endpoint | Authorization Endpoint |
| Flow Supported | Authorization code flow Implicit flow Hybrid flow |
| Response | ID Token, Access Token, Refresh Token |
| Response Mode | query, form_post, fragment |
How to configure
To configure the authenticator, follow these steps:
- Navigate to Authentication tab
- Click
Add step - Select the authenticator to proceed with the next step
- Keep the default
Settingsunchanged.
By following these steps, you will be able to successfully configure the authenticator.
Parameters involved in Kobil Captcha
| Parameter | Description |
|---|---|
| Alias | Name for the overall configured configurations which occurs in particular authenticator. (Example: Kobil Captcha) |
| Authenticator Reference | Authenticator Reference Specifies the authentication method used, such as password (pwd), one-time password(OTP). This reference is used to track authentication steps in the authentication flow. |
| Authenticator Reference Max Age | Authenticator Reference Max Age specifies the validity period (in seconds) for a completed authentication. Once this time expires, the user must re-authenticate using the specified method. |
| JSON Script | JSON to display inputs in Headless V2 theme. |
| JSON Error Script | JSON to display the error messages in Headless V2 theme. |
Configuring Google reCAPTCHA for KOBIL CAPTCHA
To enable Google reCAPTCHA, you need to configure the CAPTCHA_SITE_KEY and CAPTCHA_SECRET_KEY in the Realm settings. Follow these steps:
- Open a web browser and navigate to the Google reCAPTCHA page.
- Click Get Started to begin the process.
- Enter a name in Label to identify your reCAPTCHA.
- Select the Challenge Type.
- Add the Domain where the CAPTCHA will be used.
- Click Submit to generate the Site Key and Secret Key.
- Once generated, add the
CAPTCHA_SITE_KEYandCAPTCHA_SECRET_KEYunder the KOBIL tab by clicking Add Attribute.
Updating Content Security Policy for Google reCAPTCHA
Content-Security-Policy
To ensure Keycloak functions correctly when integrating CAPTCHA services from a different domain, it's necessary to configure the Content-Security-Policy. By configuring the Content Security Policy, you explicitly tell the browser to trust and allow content from the CAPTCHA provider's domain. This ensures that the CAPTCHA functions correctly within Keycloak's authentication pages. To ensure Google reCAPTCHA functions correctly, you must update the Content-Security-Policy parameter in the Realm settings.
- Navigate to Realm Settings.
- Go to Security Defenses tab.
- Locate the Content-Security-Policy parameter field.
- Add
https://www.google.comto theframe-srcdirective. - Save the configuration.
To ensure Google reCAPTCHA functions correctly, you must specify the reCAPTCHA's domain in Content-Security-Policy.
CAPTCHA Authentication Workflow
User validation is a prerequisite for the CAPTCHA authenticator. This validation can be performed using any authenticator that can validate the user, such as the KOBIL Cookie authenticator and the KOBIL Username Password Form Authenticator.
User flow
- KOBIL Captcha must be preceded by One-Factor Authentication (1FA). For instance: KOBIL Cookie.
- If user is successfully authenticated into keycloak, user will be prompted with CAPTCHA.
- The user solves the CAPTCHA, and Keycloak verifies the response with the reCAPTCHA service.
- Upon successful CAPTCHA verification, Keycloak grants the user access to the application.