reCAPTCHA

This chapter will guide you through the steps required to configure reCAPTCHA module in Onegini IDP. reCAPTCHA is a free service from Google that helps protect websites from spam and abuse. A “CAPTCHA” is a test to tell human and bots apart. It is easy for humans to solve, but hard for “bots” and other malicious software to figure out. By adding reCAPTCHA to a site, you can block automated software while helping your welcome users to enter with ease.

What you will need

To successfully complete this topic guide you need to ensure following prerequisites:

  • have access to an Google account which will be used for generating the reCAPTCHA keys

Generate reCAPTCHA in Google

Visit https://www.google.com/recaptcha and click blue Get reCAPTCHA button on the top right corner. Navigate to Register a new site section and fill in the form following google instructions.

Configure reCAPTCHA in Onegini IDP

After successful keys generation on google visit the http://idp-core.dev.onegini.me:8082/admin page and login to Onegini IDP admin console. Select Smart security menu option and navigate to ReCaptcha configuration tab. Fill in the form as follows:

  • Secret key - paste generated secret key
  • Site key - paste generated site key
  • Enabled - mark reCaptcha functionality as enabled

Save your settings.

Configure reCAPTCHA when javascript disabled

reCAPTCHA can only provide the optimal experience in terms of security and usability with JavaScript enabled.

If JavaScript has been disabled reCAPTCHA provides alternative verification challenge. Visit https://www.google.com/recaptcha and click blue Get reCAPTCHA button on the top right corner. Navigate to Your reCAPTCHA sites and choose your site. Move the security preference slider to easiest for users. Keep in mind that with this setting reCAPTCHA won't be able to use all of its security features.

Testing

To test reCaptcha module please try login to Onegini IDP given invalid credentials at least five times. Then you will should see reCAPTCHA module under password field. Now you should only be able to login once reCAPTCHA is confirmed.

For test purposes you may use reCAPTCHE keys generated by Google. With the following test keys, you will always get No CAPTCHA and all verification requests will pass.

  • site key: 6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
  • secret key: 6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe

The reCAPTCHA widget will show a warning message to claim that it's only for testing purpose. Please do NOT use these keys in production environment.