Keycloak Login Recaptcha
Keycloak supports the recaptcha in the registration flow but not in the login flow at this time. That's why this repository implements the conditional recaptcha execution for the login flow. The conditional recaptcha means that if the anyone tries to log-in already registered user with fault password, recaptcha being showed. Max Login Failures
(How many failures before the reCaptcha showed) is configurable. To accomplish it, i extended the UsernamePasswordForm
built-in keycloak execution.
Build With & Deploy To Keycloak
-
This extension uses the gradle to compilation. To compile, navigate to repository and run below statement;
./gradlew clean assemble
Not: The output is located asbuild/libs/recaptcha-authenticator-1.0.jar
-
Copy output jar to keycloak's deployment folder for hot deployment.
Keycloak Configuration With Admin Console
-
There are some changes should be done in the theme. Assuming that you don't have any custom theme (using keycloak theme) you might edit the base theme (recommendation is creating your own theme). We have already modified login.ftl file. You can directly copy and overwrite to path
keycloak/themes/base/login/login.ftl
or if any custom theme was used, take the diff with login.ftl file withkeycloak/themes/base/login/login.ftl
and then apply the changes to your customlogin.ftl
. -
Add config to the Recaptcha execution by clicking the
Actions -> Config
- Max Login Failures: How many failures before the reCaptcha showed.
- Recaptcha Site Key: Google Recaptcha Site Key
- Recaptcha Secret: Google Recaptcha Secret
- Navigate to
Realm Settings->Security Defenses
. SetX-Frame-Options
asALLOW-FROM https://www.google.com
andContent-Security-Policy
asframe-src 'self' https://www.google.com; frame-ancestors 'self'; object-src 'none';
- Enabled the brute force attack. For detail. If you already did that, no action needed.
Usage
There might be situations that requires to ask recaptcha if any account log-in attempt failed like blocking to the attacker to guess that account password with bot.
Acknowledgments
raptor-group repository was help me to came up here. If no condition needed you can use it as well.