Merge pull request #10 from sebix/patch-1

doc: set maximum length limit of h-captcha-response

README.md

@@ -1,32 +1,36 @@
 # keycloak-hcaptcha
 
+> I am currently not adding any new features, updates or fixes. Feel free to open a PR!
+
 To safeguard registration against bots, Keycloak has integration with Google reCAPTCHA. This provides similar functionality, but with a more privacy friendly provider named hCaptcha. The code is based on the vanilla implementation of reCAPTCHA in Keycloak.
 
 ## Installation
 
-Download the newest release JAR (or comile it yourself) and drop it into `your_keycloak_installation/standalone/deployments`
+Download the newest release JAR (or compile it yourself - see below) and drop it into `your_keycloak_installation/providers`
 
-There are a few steps you need to perform in the Keycloak Admin Console. Click the Authentication left menu item and go to the Flows tab. Select the Registration flow from the drop down list on this page.
+There are a few steps you need to perform in the Keycloak Admin Console.
+
+### Registration Flow
+Click the Authentication left menu item and go to the Flows tab. Select the Registration flow from the drop down list on this page.
 
-Registration Flow
 ![Step 1](img/step-01.png)
 Make copy of the Registration flow, and add the hCaptcha execution to the Registration Form.
 
-hCaptcha Registration Flow
 ![Step 2](img/step-02.png)
 Set the 'hCaptcha' requirement to Required by clicking the appropriate radio button. This will enable hCaptcha on the screen. Next, you have to enter in the hCaptcha site key and secret that you generated at the hCaptcha.com Website. Click on the 'Actions' button that is to the right of the hCaptcha flow entry, then "Config" link, and enter in the hCaptcha site key and secret on this config page.
 
-hCaptcha Config Page
 ![Step 3](img/step-03.png)
 
-Now you have to do is to change some default HTTP response headers that Keycloak sets. Keycloak will prevent a website from including any login page within an iframe. This is to prevent clickjacking attacks. You need to authorize hCaptcha to use the registration page within an iframe. Go to the Realm Settings left menu item and then go to the Security Defenses tab. You will need to add https://newassets.hcaptcha.com to the values of both the X-Frame-Options and Content-Security-Policy headers.
+### Authorizing Iframes
+
+Now, change some default HTTP response headers that Keycloak sets. Keycloak will prevent a website from including any login page within an iframe. This is to prevent clickjacking attacks. You need to authorize hCaptcha to use the registration page within an iframe. Go to the Realm Settings left menu item and then go to the Security Defenses tab. You will need to add https://newassets.hcaptcha.com to the value of the Content-Security-Policy headers. In the image they are also in the X-Frame-Options, but this is not needed (you can ignore it).
 
-Authorizing Iframes
 ![Step 4](img/step-04.png)
 
-To show the hCaptcha you need to modify the registration template. You can find the files in your Keycloak installation under `themes/base/login/`. If you use the user profile preview (you start your Keycloak with the `-Dkeycloak.profile=preview` flag), you need to edit the `register-user-profile.ftl`, else the `register.ftl`. Add the following code beneith the reCaptcha code:
+### Registration Template
+To show the hCaptcha you need to modify the registration template. You can find the files in your Keycloak installation under `themes/base/login/`. If you use the user profile preview (you start your Keycloak with the `-Dkeycloak.profile=preview` flag), you need to edit the `register-user-profile.ftl`, else the `register.ftl`. Add the following code beneath the reCaptcha code:
 
-```
+```html
 <#if hcaptchaRequired??>
     <div class="form-group">
         <div class="${properties.kcInputWrapperClass!}">
@@ -36,13 +40,39 @@ To show the hCaptcha you need to modify the registration template. You can find
 </#if>
 ```
 
-Registration Template
 ![Step 5](img/step-05.png)
 
-In the last step you have to change the registration flow to the newly created one and save. Once you do this, the hCaptcha shows on the registration page and protects your site from bots!
+### Authentication Bindings
+
+You have to change the registration flow to the newly created one and save it. Once you do this, the hCaptcha shows on the registration page and protects your site from bots!
 
-Authentication Bindings
 ![Step 6](img/step-06.png)
 
+### hCaptcha Response attribute validator
+
+As the last step, go to *Realm Settings* > *User profile* and create a new attribute `h-captcha-response` and add a validator with type `length`. Set the minimum size to 0 and the maximum size to 4096.
+
+Otherwise Keycloak will reject hcaptcha responses longer than 2048 characters.
+
+## Compiling it yourself
+
+Clone the repository:
+
+```bash
+git clone https://github.com/p08dev/keycloak-hcaptcha.git
+```
+
+Inside the repository, compile it using Maven with Java 17:
+
+```bash
+mvn clean compile package
+```
+
+You can instruct Maven to use a specific Java version by prepending the JAVA_HOME environment variable:
+
+```bash
+JAVA_HOME=/usr/lib/jvm/java-17-oracle/ mvn clean compile package
+```
+
 ## © License
 [MIT](LICENSE)

pom.xml

@@ -2,45 +2,63 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>de.itrupp.p8</groupId>
   <artifactId>keycloak-hcaptcha</artifactId>
-  <version>1.0.0</version>
+  <version>1.0.1</version>
   <name>Registration Authenitcation Execution Provider for hCaptcha</name>
   <description>hCaptcha protects your users' privacy, rewards websites and helps businesses annotate their data. It's a 'drop in' replacement for reCAPTCHA that you set up in minutes.</description>
   <packaging>jar</packaging>
- 
+
   <properties>
-	<version.keycloak>15.0.2</version.keycloak>
+    <version.keycloak>22.0.5</version.keycloak>
-    <maven.compiler.source>11</maven.compiler.source>
+    <maven.compiler.source>17</maven.compiler.source>
-    <maven.compiler.target>11</maven.compiler.target>
+    <maven.compiler.target>17</maven.compiler.target>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
   </properties>
-  
+
+  <dependencyManagement>
+      <dependencies>
+          <dependency>
+              <groupId>org.keycloak</groupId>
+              <artifactId>keycloak-parent</artifactId>
+              <version>${version.keycloak}</version>
+              <type>pom</type>
+              <scope>import</scope>
+          </dependency>
+      </dependencies>
+  </dependencyManagement>
+
   <dependencies>
-        <dependency>
+      <dependency>
-            <groupId>org.keycloak</groupId>
+          <groupId>org.keycloak</groupId>
-            <artifactId>keycloak-core</artifactId>
+          <artifactId>keycloak-core</artifactId>
-            <version>${version.keycloak}</version>
+          <scope>provided</scope>
-            <scope>provided</scope>
+      </dependency>
-        </dependency>
+      <dependency>
-        <dependency>
+          <groupId>org.keycloak</groupId>
-            <groupId>org.keycloak</groupId>
+          <artifactId>keycloak-server-spi</artifactId>
-            <artifactId>keycloak-server-spi</artifactId>
+          <scope>provided</scope>
-            <version>${version.keycloak}</version>
+      </dependency>
-            <scope>provided</scope>
+      <dependency>
-        </dependency>
+          <groupId>org.keycloak</groupId>
-        <dependency>
+          <artifactId>keycloak-server-spi-private</artifactId>
-            <groupId>org.keycloak</groupId>
+          <scope>provided</scope>
-            <artifactId>keycloak-server-spi-private</artifactId>
+      </dependency>
-            <version>${version.keycloak}</version>
+      <dependency>
-            <scope>provided</scope>
+          <groupId>org.keycloak</groupId>
-        </dependency>
+          <artifactId>keycloak-services</artifactId>
-        <dependency>
+          <scope>provided</scope>
-            <groupId>org.keycloak</groupId>
+      </dependency>
-            <artifactId>keycloak-services</artifactId>
+      <dependency>
-            <version>${version.keycloak}</version>
+          <groupId>org.apache.httpcomponents</groupId>
-            <scope>provided</scope>
+          <artifactId>httpcore</artifactId>
-        </dependency>
+          <scope>provided</scope>
+      </dependency>
+      <dependency>
+          <groupId>org.apache.httpcomponents</groupId>
+          <artifactId>httpclient</artifactId>
+          <scope>provided</scope>
+      </dependency>
   </dependencies>
   <build>
       <finalName>${project.artifactId}</finalName>
   </build>
-</project>
+</project>

src/main/java/de/itrupp/p8/keycloak/authenticator/RegistrationhCaptcha.java

@@ -25,7 +25,7 @@ import org.keycloak.services.messages.Messages;
 import org.keycloak.services.validation.Validation;
 import org.keycloak.util.JsonSerialization;
 
-import javax.ws.rs.core.MultivaluedMap;
+import jakarta.ws.rs.core.MultivaluedMap;
 
 import java.io.InputStream;
 import java.util.ArrayList;
@@ -38,74 +38,74 @@ public class RegistrationhCaptcha implements FormAction, FormActionFactory {
     public static final String HCAPTCHA_REFERENCE_CATEGORY = "hcaptcha";
     public static final String SITE_KEY = "site.key";
     public static final String SITE_SECRET = "secret";
-    
+
     public static final String PROVIDER_ID = "registration-hcaptcha-action";
 
-	@Override
+    @Override
-	public void close() {
+    public void close() {
-		
-	}
 
-	@Override
+    }
-	public FormAction create(KeycloakSession session) {
-		return this;
-	}
 
-	@Override
+    @Override
-	public void init(Scope config) {
+    public FormAction create(KeycloakSession session) {
-		
+        return this;
-	}
+    }
 
-	@Override
+    @Override
-	public void postInit(KeycloakSessionFactory factory) {
+    public void init(Scope config) {
-		
-	}
 
-	@Override
+    }
-	public String getId() {
-		return PROVIDER_ID;
-	}
 
-	@Override
+    @Override
-	public String getDisplayType() {
+    public void postInit(KeycloakSessionFactory factory) {
-		return "hCaptcha";
-	}
 
-	@Override
+    }
-	public String getReferenceCategory() {
-		return HCAPTCHA_REFERENCE_CATEGORY;
-	}
 
-	@Override
+    @Override
-	public boolean isConfigurable() {
+    public String getId() {
-		return true;
+        return PROVIDER_ID;
-	}
+    }
 
-	private static AuthenticationExecutionModel.Requirement[] REQUIREMENT_CHOICES = {
+    @Override
+    public String getDisplayType() {
+        return "hCaptcha";
+    }
+
+    @Override
+    public String getReferenceCategory() {
+        return HCAPTCHA_REFERENCE_CATEGORY;
+    }
+
+    @Override
+    public boolean isConfigurable() {
+        return true;
+    }
+
+    private static AuthenticationExecutionModel.Requirement[] REQUIREMENT_CHOICES = {
             AuthenticationExecutionModel.Requirement.REQUIRED,
             AuthenticationExecutionModel.Requirement.DISABLED
     };
-	@Override
+    @Override
-	public Requirement[] getRequirementChoices() {
+    public Requirement[] getRequirementChoices() {
-		return REQUIREMENT_CHOICES;
+        return REQUIREMENT_CHOICES;
-	}
+    }
 
-	@Override
+    @Override
-	public boolean isUserSetupAllowed() {
+    public boolean isUserSetupAllowed() {
-		return false;
+        return false;
-	}
+    }
 
-	@Override
+    @Override
-	public String getHelpText() {
+    public String getHelpText() {
-		return "Adds hCaptcha button.  hCaptchas verify that the entity that is registering is a human.  This can only be used on the internet and must be configured after you add it.";
+        return "Adds hCaptcha button.  hCaptchas verify that the entity that is registering is a human.  This can only be used on the internet and must be configured after you add it.";
-	}
+    }
-	
 
-	@Override
+
-	public void buildPage(FormContext context, LoginFormsProvider form) {
+    @Override
+    public void buildPage(FormContext context, LoginFormsProvider form) {
         AuthenticatorConfigModel captchaConfig = context.getAuthenticatorConfig();
         String userLanguageTag = context.getSession().getContext().resolveLocale(context.getUser()).toLanguageTag();
-        
+
         if (captchaConfig == null || captchaConfig.getConfig() == null
                 || captchaConfig.getConfig().get(SITE_KEY) == null
                 || captchaConfig.getConfig().get(SITE_SECRET) == null
@@ -113,18 +113,18 @@ public class RegistrationhCaptcha implements FormAction, FormActionFactory {
             form.addError(new FormMessage(null, Messages.RECAPTCHA_NOT_CONFIGURED));
             return;
         }
-        
+
         String siteKey = captchaConfig.getConfig().get(SITE_KEY);
         String compact = captchaConfig.getConfig().get("compact");
         form.setAttribute("hcaptchaRequired", true);
         form.setAttribute("hcaptchaCompact", compact);
         form.setAttribute("hcaptchaSiteKey", siteKey);
         form.addScript("https://js.hcaptcha.com/1/api.js?hl=" + userLanguageTag);
-		
-	}
 
-	@Override
+    }
-	public void validate(ValidationContext context) {
+
+    @Override
+    public void validate(ValidationContext context) {
 
         MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
         List<FormMessage> errors = new ArrayList<>();
@@ -149,9 +149,9 @@ public class RegistrationhCaptcha implements FormAction, FormActionFactory {
             return;
 
         }
-		
+
-	}
+    }
-	
+
 
     protected boolean validateRecaptcha(ValidationContext context, boolean success, String captcha, String secret) {
         CloseableHttpClient httpClient = context.getSession().getProvider(HttpClientProvider.class).getHttpClient();
@@ -167,7 +167,7 @@ public class RegistrationhCaptcha implements FormAction, FormActionFactory {
                 InputStream content = response.getEntity().getContent();
                 try {
                     @SuppressWarnings("rawtypes")
-					Map json = JsonSerialization.readValue(content, Map.class);
+                    Map json = JsonSerialization.readValue(content, Map.class);
                     Object val = json.get("success");
                     success = Boolean.TRUE.equals(val);
                 } finally {
@@ -180,25 +180,25 @@ public class RegistrationhCaptcha implements FormAction, FormActionFactory {
         return success;
     }
 
-	@Override
+    @Override
-	public void success(FormContext context) {
+    public void success(FormContext context) {
-		
-	}
 
-	@Override
+    }
-	public boolean requiresUser() {
-		return false;
-	}
 
-	@Override
+    @Override
-	public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) {
+    public boolean requiresUser() {
-		return true;
+        return false;
-	}
+    }
 
-	@Override
+    @Override
-	public void setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user) {
+    public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) {
-		
+        return true;
-	}
+    }
+
+    @Override
+    public void setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user) {
+
+    }
 
     private static final List<ProviderConfigProperty> CONFIG_PROPERTIES = new ArrayList<ProviderConfigProperty>();
 
@@ -224,9 +224,9 @@ public class RegistrationhCaptcha implements FormAction, FormActionFactory {
         CONFIG_PROPERTIES.add(property);
     }
 
-	@Override
+    @Override
-	public List<ProviderConfigProperty> getConfigProperties() {
+    public List<ProviderConfigProperty> getConfigProperties() {
-		return CONFIG_PROPERTIES;
+        return CONFIG_PROPERTIES;
-	}
+    }
 
 }