keycloak-scim/server_admin/topics/users/recaptcha.adoc

[[_recaptcha]]

= reCAPTCHA Support

To safeguard registration against bots, {project_name} has integration with Google reCAPTCHA.
To enable this you need to first go to link:https://developers.google.com/recaptcha/[Google Recaptcha Website]
and create an API key so that you can get your reCAPTCHA site key and secret.
(FYI, localhost works by default so you don't have to specify a domain).

Next, there are a few steps you need to perform in the {project_name} admin console.
Click the `Authentication` left menu item and go to the `Flows` tab.  Select the `Registration` flow from the drop down
list on this page.

.Registration Flow
image:{project_images}/registration-flow.png[]


Set the 'reCAPTCHA' requirement to `Required` by clicking the appropriate radio button.  This will enable
reCAPTCHA on the screen.  Next, you have to enter in the reCAPTCHA site key and secret that you generated at the Google reCAPTCHA Website.
Click on the 'Actions' button that is to the right of the reCAPTCHA flow entry, then "Config" link, and enter in the reCAPTCHA site key and secret on this config page.

.Recaptcha Config Page
image:{project_images}/recaptcha-config.png[]


The final step you have to do is to change some default HTTP response headers that {project_name} sets.  {project_name}
will prevent a website from including any login page within an iframe.  This is to prevent clickjacking attacks.  You need to
authorize Google to use the registration page within an iframe.  Go to
the `Realm Settings` left menu item and then go to the `Security Defenses` tab.  You will need to add `\https://www.google.com` to the
values of both the `X-Frame-Options` and `Content-Security-Policy` headers.

.Authorizing Iframes
image:{project_images}/security-headers.png[]

Once you do this, reCAPTCHA should show up on your registration page.  You may want to edit _register.ftl_ in your login
theme to experiment with the placement and styling of the reCAPTCHA button.  See the link:{developerguide_link}[{developerguide_name}]
for more information on extending and creating themes.
registration and recaptcha 2016-05-16 15:17:17 +00:00			`[[_recaptcha]]`

minor formatting and text changes 2020-10-26 19:16:20 +00:00			`= reCAPTCHA Support`
registration and recaptcha 2016-05-16 15:17:17 +00:00
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`To safeguard registration against bots, {project_name} has integration with Google reCAPTCHA.`
registration and recaptcha 2016-05-16 15:17:17 +00:00			`To enable this you need to first go to link:https://developers.google.com/recaptcha/[Google Recaptcha Website]`
Minor changes from beginning through Chapter 7, Authentication 2016-06-02 18:59:58 +00:00			`and create an API key so that you can get your reCAPTCHA site key and secret.`
RH602 and 642 updates 2016-12-01 22:17:15 +00:00			`(FYI, localhost works by default so you don't have to specify a domain).`
registration and recaptcha 2016-05-16 15:17:17 +00:00
Minor changes 2020-10-26 18:35:16 +00:00			`Next, there are a few steps you need to perform in the {project_name} admin console.`
Minor changes from beginning through Chapter 7, Authentication 2016-06-02 18:59:58 +00:00			Click the `Authentication` left menu item and go to the `Flows` tab. Select the `Registration` flow from the drop down
registration and recaptcha 2016-05-16 15:17:17 +00:00			`list on this page.`

			`.Registration Flow`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`image:{project_images}/registration-flow.png[]`
registration and recaptcha 2016-05-16 15:17:17 +00:00

Minor changes from beginning through Chapter 7, Authentication 2016-06-02 18:59:58 +00:00			Set the 'reCAPTCHA' requirement to `Required` by clicking the appropriate radio button. This will enable
			`reCAPTCHA on the screen. Next, you have to enter in the reCAPTCHA site key and secret that you generated at the Google reCAPTCHA Website.`
RH602 and 642 updates 2016-12-01 22:17:15 +00:00			`Click on the 'Actions' button that is to the right of the reCAPTCHA flow entry, then "Config" link, and enter in the reCAPTCHA site key and secret on this config page.`
registration and recaptcha 2016-05-16 15:17:17 +00:00
			`.Recaptcha Config Page`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`image:{project_images}/recaptcha-config.png[]`
registration and recaptcha 2016-05-16 15:17:17 +00:00

Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`The final step you have to do is to change some default HTTP response headers that {project_name} sets. {project_name}`
Minor changes from beginning through Chapter 7, Authentication 2016-06-02 18:59:58 +00:00			`will prevent a website from including any login page within an iframe. This is to prevent clickjacking attacks. You need to`
registration and recaptcha 2016-05-16 15:17:17 +00:00			`authorize Google to use the registration page within an iframe. Go to`
KEYCLOAK-5404 Add testing 2017-09-05 07:49:24 +00:00			the `Realm Settings` left menu item and then go to the `Security Defenses` tab. You will need to add `\https://www.google.com` to the
Minor changes from beginning through Chapter 7, Authentication 2016-06-02 18:59:58 +00:00			values of both the `X-Frame-Options` and `Content-Security-Policy` headers.
registration and recaptcha 2016-05-16 15:17:17 +00:00
			`.Authorizing Iframes`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`image:{project_images}/security-headers.png[]`
registration and recaptcha 2016-05-16 15:17:17 +00:00
Minor changes from beginning through Chapter 7, Authentication 2016-06-02 18:59:58 +00:00			`Once you do this, reCAPTCHA should show up on your registration page. You may want to edit _register.ftl_ in your login`
Minor changes 2020-10-26 18:35:16 +00:00			`theme to experiment with the placement and styling of the reCAPTCHA button. See the link:{developerguide_link}[{developerguide_name}]`
registration and recaptcha 2016-05-16 15:17:17 +00:00			`for more information on extending and creating themes.`