reCAPTCHA is a free service provided by Google that can be used to protect against spam or other forms of internet abuse by verifying whether a user is a human or a robot. It comes in the form of a widget.

Let's learn how to set up and use reCaptcha with WSO2 Identity Server.

How it works

First, you will need to register and create an API key pair for the required domain. The key pair consists of a site key and site secret. The site key is used to display the reCaptcha widget on a web page. After the verification, a new parameter called g-recaptcha-response appears on the form, which can be submitted by the user. From the server side, you can verify the submitted captcha response by calling the Google API with the secret key.

Follow the steps below to configure this.

Configuring reCAPTCHA API keys

Register your identity server domain.

Visit https://www.google.com/recaptcha/admin.

Provide the following details and click Submit.

Field	Description	Sample
Lable	This is a label to identify the site.	`WSO2 Identity Server`
reCAPTCHA type	This is the type of the reCaptcha. Select	Select either of the following reCAPTCHA v2 > "I'm not a robot" Checkbox recCAPTCHA v2 > Invisible reCAPTCHA badge
Domains	This defines the domain and the subdomains to which this registration applies to.	`is.wso2.com`

Click Submit.

Note that a site key and secret key get generated. Copy them for later use.

Open the captcha-config.properties file located in the <IS_HOME>/repository/conf/identity/ directory and configure the following properties.

# Google reCAPTCHA settings

# Enable Google reCAPTCHA
recaptcha.enabled=true

# reCaptcha API URL
recaptcha.api.url=https://www.google.com/recaptcha/api.js

# reCaptcha verification URL
recaptcha.verify.url=https://www.google.com/recaptcha/api/siteverify

# reCaptcha site key
recaptcha.site.key=<your site key>

# reCaptcha secret key
recaptcha.secret.key=<your site secret key>

Restart WSO2 Identity Server.

You have successfully set up reCaptcha for your site. You can now configure reCaptcha with any of the following:

Note

If you apply the WUM update released on the 25th of September 2018 for WSO2 IS 5.5.0, you can configure reCAPTCHA for the following account recovery scenarios as well:

Browser not supported