> > First we need to register at [2] and create an API key pair for the > required domain.
Should a product user generate their own key pair and configure the product prior to using reCaptcha ? Regards, Omindu. On Tue, Jun 7, 2016 at 11:33 PM, Thanuja Jayasinghe <[email protected]> wrote: > Hi All, > > I'm working on $subject. > > *Why reCaptcha?* > > *"reCAPTCHA is a free service that protects your website from spam and > abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive > CAPTCHAs to keep automated software from engaging in abusive activities on > your site. It does this while letting your valid users pass through with > ease." -Google[1]* > > > *How does reCaptcha works?* > > First we need to register at [2] and create an API key pair for the > required domain. The key pair consists of a site key and secret. The site > key used when we display reCaptcha widget on a page. After verification, > new parameter called 'g-recaptcha-response' will be available in the form > which user submits. From the server side we can verify that reCaptcha > response calling the Google API with the secret key. > > > *Where we're going to use reCaptcha?* > > Basically any place which can be vulnerable to Bots attack, > > 1. SSO login flow > 2. User recovery flows > 3. User registration flow > > > *Implementation* > > Conditions to enable reCaptcha is different from one scenario to another. > As an example user registration may enable reCaptcha by default, but SSO > login page may enable it after n failed attempts from a single user. Also > reCaptcha requirements may be different from one tenant to another. > > So we have introduced filter called "ReCaptchaFilter" to intercept > requests and pass them to a reCaptcha connector which can handle a > particular scenario. Connector will provide following information to the > filter, > > - Whether the connector can handle the request > - Priority of the connector > - Whether the reCapatha verification is needed for the current request > - Whether that attempt is a successful or not > > Based on above information filter will select a connector which can handle > the incoming request and will validate reCaptcha if needed. > > Also to keep this in a state less manner, IS will do following, > > - Will evaluate the need for reCaptcha at the server side > - Will inform and provide necessary data to the pages if server is > expecting reCaptha validation > > > *OOTB Connectors* > > IS will provide two reCpatcha connectors OOTB as " > SSOLoginReCaptchaConnector" and "PathBasedReCaptchaConnector", which > implement "ReCaptchaConnector" interface. These connectors also implement > "IdentityGovernanceConnector" to enable UI based configuration management. > > SSOLoginReCaptchaConnector - Can enable reCaptcha after n number of > failed attempts form a single user. This connector does not depend on the > user agent and will take the sum of failed attempts from any agent. > PathBasedReCaptchaConnector - Can validate reCaptcha for a request path. > This will always validate reCaptcha for a given request path. > > > Appreciate your input. > > [1] - https://developers.google.com/recaptcha/intro > [2] - https://www.google.com/recaptcha/admin > > Thanks, > Thanuja > -- > *Thanuja Lakmal* > Senior Software Engineer > WSO2 Inc. http://wso2.com/ > *lean.enterprise.middleware* > Mobile: +94715979891 +94758009992 > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Omindu Rathnaweera Software Engineer, WSO2 Inc. Mobile: +94 771 197 211
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
