Setting Up ReCaptcha
reCAPTCHAÂ is a free service provided by Google that can be used to protect against spam or other forms of internet abuse by verifying whether a user is a human or a robot. It comes in the form of a widget.
Let's learn how to set up and use reCaptcha with WSO2 Identity Server.Â
How it worksÂ
First, you will need to register and create an API key pair for the required domain. The key pair consists of a site key and site secret. The site key is used to display the reCaptcha widget on a web page. After the verification, a new parameter called  g-recaptcha-responseÂ
 appears on the form, which can be submitted by the user. From the server side, you can verify the submitted captcha response by calling the Google API with the secret key.
Follow the steps below to configure this.Â
Configuring reCAPTCHA API keys
Register your identity server domain.
Visit  https://www.google.com/recaptcha/admin.
Provide the following details and click Submit.
Field Description Sample Lable This is a label to identify the site. WSO2 Identity Server
reCAPTCHA type This is the type of the reCaptcha. Select Select either of the following - reCAPTCHA v2 > "I'm not a robot" Checkbox
- recCAPTCHA v2 > Invisible reCAPTCHA badge
Domains This defines the domain and the subdomains to which this registration applies to. is.wso2.com
Click Submit.Â
Note that aÂ
site key
 andÂsecret key
 get generated. Copy them for later use.
Open the c
aptcha-config.properties
 file located in theÂ<IS_HOME>/repository/conf/identity/
 directory and configure the following properties.# Google reCAPTCHA settings # Enable Google reCAPTCHA recaptcha.enabled=true # reCaptcha API URL recaptcha.api.url=https://www.google.com/recaptcha/api.js # reCaptcha verification URL recaptcha.verify.url=https://www.google.com/recaptcha/api/siteverify # reCaptcha site key recaptcha.site.key=<your site key> # reCaptcha secret key recaptcha.secret.key=<your site secret key>
Restart WSO2 Identity Server.Â
You have successfully set up reCaptcha for your site. You can now configure reCaptcha with any of the following:Â
- Configuring Google reCaptcha for self registration
- Configuring Google reCaptcha for security-question based password recovery (password recovery with secret questions)