Coder Social home page Coder Social logo

p08dev / keycloak-hcaptcha Goto Github PK

View Code? Open in Web Editor NEW
18.0 1.0 5.0 1.49 MB

Keycloak deployment that provides similar functionality to Google reCaptcha, but with a more privacy friendly provider named hCaptcha.

License: MIT License

Java 100.00%
keycloak captcha keycloak-extension hcaptcha

keycloak-hcaptcha's Introduction

keycloak-hcaptcha

I am currently not adding any new features, updates or fixes. Feel free to open a PR!

To safeguard registration against bots, Keycloak has integration with Google reCAPTCHA. This provides similar functionality, but with a more privacy friendly provider named hCaptcha. The code is based on the vanilla implementation of reCAPTCHA in Keycloak.

Installation

Download the newest release JAR (or compile it yourself - see below) and drop it into your_keycloak_installation/providers

There are a few steps you need to perform in the Keycloak Admin Console. Click the Authentication left menu item and go to the Flows tab. Select the Registration flow from the drop down list on this page.

Registration Flow Step 1 Make copy of the Registration flow, and add the hCaptcha execution to the Registration Form.

hCaptcha Registration Flow Step 2 Set the 'hCaptcha' requirement to Required by clicking the appropriate radio button. This will enable hCaptcha on the screen. Next, you have to enter in the hCaptcha site key and secret that you generated at the hCaptcha.com Website. Click on the 'Actions' button that is to the right of the hCaptcha flow entry, then "Config" link, and enter in the hCaptcha site key and secret on this config page.

hCaptcha Config Page Step 3

Now you have to do is to change some default HTTP response headers that Keycloak sets. Keycloak will prevent a website from including any login page within an iframe. This is to prevent clickjacking attacks. You need to authorize hCaptcha to use the registration page within an iframe. Go to the Realm Settings left menu item and then go to the Security Defenses tab. You will need to add https://newassets.hcaptcha.com to the value of the Content-Security-Policy headers. In the image they are also in the X-Frame-Options, but this is not needed (you can ignore it).

Authorizing Iframes Step 4

To show the hCaptcha you need to modify the registration template. You can find the files in your Keycloak installation under themes/base/login/. If you use the user profile preview (you start your Keycloak with the -Dkeycloak.profile=preview flag), you need to edit the register-user-profile.ftl, else the register.ftl. Add the following code beneith the reCaptcha code:

<#if hcaptchaRequired??>
    <div class="form-group">
        <div class="${properties.kcInputWrapperClass!}">
            <div class="h-captcha" data-size="<#if hcaptchaCompact?? && hcaptchaCompact=="true">compact<#else>normal</#if>" data-sitekey="${hcaptchaSiteKey}"></div>
        </div>
    </div>
</#if>

Registration Template Step 5

In the last step you have to change the registration flow to the newly created one and save. Once you do this, the hCaptcha shows on the registration page and protects your site from bots!

Authentication Bindings Step 6

Compiling it yourself

Clone the repository:

git clone https://github.com/p08dev/keycloak-hcaptcha.git

Inside the repository, compile it using Maven with Java 17:

mvn clean compile package

You can instruct Maven to use a specific Java version by prepending the JAVA_HOME environment variable:

JAVA_HOME=/usr/lib/jvm/java-17-oracle/ mvn clean compile package

© License

MIT

keycloak-hcaptcha's People

Contributors

dependabot[bot] avatar jwausle avatar mwllgr avatar p08dev avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar

Forkers

robertoberlim jwausle ffenix113 mwllgr hb0

keycloak-hcaptcha's Issues

X-FRAME-OPTIONS shouldn't be needed

Only adding hcaptcha.com to Content-Security-Policy > frame-src should be enough to allow hCaptcha being loaded inside an iframe.

From my understanding, adding hcaptcha.com to X-Frame-Options allows hcaptcha.com to load YOUR Keycloak page in their website inside an iframe. (X-Frame-Options as a fall-back for frame-ancestors in very old browsers)

See Mozilla:

Sites can use this [X-Frame-Options] [...] ensuring that their content is not embedded into other sites.

Error on submit: java.lang.NoSuchMethodError: org.keycloak.http.HttpRequest.getDecodedFormParameters()

Hey,
just as a heads-up, right now, the following error appears on the registration form submit for the latest Keycloak version:

keycloak_1  | 2023-11-02 21:24:52,223 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-67) Uncaught server error: java.lang.NoSuchMethodError: 'javax.ws.rs.core.MultivaluedMap org.keycloak.http.HttpRequest.getDecodedFormParameters()'
keycloak_1  |   at de.itrupp.p8.keycloak.authenticator.RegistrationhCaptcha.validate(RegistrationhCaptcha.java:129)
keycloak_1  |   at org.keycloak.authentication.FormAuthenticationFlow.processAction(FormAuthenticationFlow.java:215)
keycloak_1  |   at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:133)
keycloak_1  |   at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:986)
keycloak_1  |   at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:378)
keycloak_1  |   at org.keycloak.services.resources.LoginActionsService.processRegistration(LoginActionsService.java:722)
keycloak_1  |   at org.keycloak.services.resources.LoginActionsService.registerRequest(LoginActionsService.java:778)
keycloak_1  |   at org.keycloak.services.resources.LoginActionsService.processRegister(LoginActionsService.java:756)
keycloak_1  |   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
keycloak_1  |   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
keycloak_1  |   at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
keycloak_1  |   at java.base/java.lang.reflect.Method.invoke(Method.java:568)
keycloak_1  |   at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:154)
keycloak_1  |   at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:118)
keycloak_1  |   at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:560)
keycloak_1  |   at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:452)
keycloak_1  |   at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:413)
keycloak_1  |   at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:321)
keycloak_1  |   at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:415)
keycloak_1  |   at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:378)
keycloak_1  |   at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:174)
keycloak_1  |   at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:131)
keycloak_1  |   at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:33)
keycloak_1  |   at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:429)
keycloak_1  |   at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:240)
keycloak_1  |   at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:154)
keycloak_1  |   at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:321)
keycloak_1  |   at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:157)
keycloak_1  |   at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:229)
keycloak_1  |   at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:82)
keycloak_1  |   at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:147)
keycloak_1  |   at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:84)
keycloak_1  |   at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:44)
keycloak_1  |   at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
keycloak_1  |   at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:177)
keycloak_1  |   at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
keycloak_1  |   at io.quarkus.vertx.http.runtime.options.HttpServerCommonHandlers$1.handle(HttpServerCommonHandlers.java:58)
keycloak_1  |   at io.quarkus.vertx.http.runtime.options.HttpServerCommonHandlers$1.handle(HttpServerCommonHandlers.java:36)
keycloak_1  |   at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
keycloak_1  |   at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:177)
keycloak_1  |   at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
keycloak_1  |   at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$0(QuarkusRequestFilter.java:82)
keycloak_1  |   at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
keycloak_1  |   at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
keycloak_1  |   at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
keycloak_1  |   at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
keycloak_1  |   at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
keycloak_1  |   at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
keycloak_1  |   at java.base/java.lang.Thread.run(Thread.java:833)

I am looking for a fix.

New Release?

Hey, any chance this is getting a new release any time soon?

I packaged this for Archlinux yesterday to fight the spam we are getting in our gitlab instance (via keycloak) and the package currently builds off the master branch.

How to integrate this captcha in keycloak with quarkus?

Hi!

I tried to install this provider in my keycloak 23.0.4.
And i did not find the files register-user-profile.ftl and register.ftl because the theme-folder is empty...

It looks, that the quarkus-distribution does something other than the old wildfly one.

How can i modify my keycloak to get the captcha shown?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.