Cloud-IAM | DOCS

Appearance

ReCAPTCHA

Overview

Within the realms of your Keycloak, you can configure reCAPTCHA for your users during registration. Google reCAPTCHA is a system designed to distinguish humans from computers, so that bots are unable to maliciously fill out forms on behalf of a human. This native feature allows you to secure and enforce your Keycloak for your registration.

Keycloak registration- ReCAPTCHA
Keycloak registration - ReCAPTCHA

Use cases

CIAM

By integrating a reCAPTCHA into a CIAM, not only does it ensure increased security for users and company data, but it also improves the user experience and the quality of customer interactions, while maintaining efficient management that complies with current standards.

IAM

By integrating a reCAPTCHA into the account creation process, an IAM system strengthens its protection against automated threats while providing a better experience for end users.

Pros & Cons

Pros

  • Enhanced Security Against Bots and Automated Attacks: Prevents bot-driven account creation and brute force attacks, safeguarding the system from unauthorized access.
  • Improved User Experience: Adapts security measures based on user behavior, reducing friction and ensuring a seamless experience for genuine customers.

Cons

  • User experience impact: If not properly tuned, reCAPTCHA challenges can become annoying for users, leading to abandonment of the registration process.
  • Accessibility Issues: Users with disabilities may struggle with certain types of reCAPTCHA challenges, which could lead to exclusion or discrimination if not handled correctly.
  • False Positives: Legitimate users may occasionally be flagged as suspicious, resulting in unnecessary challenges and a potential negative impact on the user experience.

Supported by Keycloak

Yes, natively supported and configurable on Managed Keycloak by Cloud-IAM.

Configuration

How to configure reCAPTCHA on Keycloak

This tutorial offers a quick guide on configuring reCAPTCHA during registration, helping you navigate Keycloak and effectively test the feature. For the tutorial we will use Google reCAPTCHA service (https://www.google.com/recaptcha/about/).

This tutorial does not cover all the necessary security best practices for a complete configuration.

Google reCAPTCHA - Create a new project

  1. Open Google reCAPTCHA
  2. Go to Get started with enterprise
  3. Register Project Name section (here: tutorial-demo-keycloak) (1.)
  4. Select your domain (here: your-domain.com) (2.)
  5. Then Click on GET STARTED
Google reCAPTCHA - Create a new project
Google reCAPTCHA - Create a new project

Google reCAPTCHA - Configuration of the reCAPTCHA

  1. From reCAPTCHA section
  2. Register Display name(here: keycloak-registration) (1.)
  3. Make sure Website is selected on platform type section (2.)
  4. Register Domain (here: your-keycloak-domain.com) (3.)
Google reCAPTCHA - Configuration of the reCAPTCHA P.1
Google reCAPTCHA - Configuration of the reCAPTCHA P.1
  1. Select Use tick box challenge on Key type section (4.)
  2. Select Harder difficulty (5.)
  3. Then click on CREATE KEY
Google reCAPTCHA - Configuration of the reCAPTCHA P.2
Google reCAPTCHA - Configuration of the reCAPTCHA P.2

Keycloak console - Access registration flow

  1. On another window open your Keycloak
  2. Select your realm from the dropdown list (here: tutorial-demo)
  3. Click on Authentication(1.)
  4. Select Flow section (2.)
  5. Click on Registration(3.)
[Keycloak Console] - Access registration flow
[Keycloak Console] - Access registration flow

Keycloak console & Google reCAPTCHA - Set reCAPTCHA as required

  1. Select from the dropdown list Required on reCAPTCHA
  2. Then click on ⚙️ to configure reCAPTCHA
[Keycloak Console] - Set reCAPTCHA as required
[Keycloak Console] - Set reCAPTCHA as required

Keycloak console & Google reCAPTCHA - Configure reCAPTCHA

  1. Register an Alias (here: google-reCAPTCHA)
  2. From google reCAPTCHA copy the ID next to the title (here : ABCD-12345-EFGH-6789)
  3. Past on the Keycloak form on reCAPTCHA Site Key part
[Keycloak Console] - Configure reCAPTCHA P.1
[Keycloak Console] - Configure reCAPTCHA P.1
  1. From google reCAPTCHA on Integration(1.) section click on USE LEGACY KEY (2.)
  2. Copy the Secret Key (here : 9876-ZYXWV-654321)
  3. Past on the Keycloak form on reCAPTCHA Secret part
  4. Then click on Save
[Keycloak Console] - Configure reCAPTCHA P.2
[Keycloak Console] - Configure reCAPTCHA P.2

Keycloak console - Add google reCAPTCHA on content security policy

  1. Click on Realm settings(1.)
  2. Select Security defenses section (2.)
  3. Register https://www.google.com/recaptcha/on Content-Security-Policy
  4. Then Click on Save

You have know configure reCAPTCHA on your Keycloak Regsitration form.

[Keycloak Console] - Add google on content security policy
[Keycloak Console] - Add google on content security policy

Keycloak register screen - Account Creation with reCAPTCHA

During an account creation, the user will have to tick "I'm not a robot", if he does not follow it he will not be able to complete the form.

[Keycloak register screen] - Account Creation with reCAPTCHA
[Keycloak register screen] - Account Creation with reCAPTCHA

Resources