first commit

.gitignore

@@ -0,0 +1,5 @@
+.DS_Store
+.settings
+target
+.classpath
+.project

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Patrick D. Rupp
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,48 @@
+# keycloak-hcaptcha
+
+To safeguard registration against bots, Keycloak has integration with Google reCAPTCHA. This provides similar functionality, but with a more privacy friendly provider named hCaptcha. The code is based on the vanilla implementation of reCAPTCHA in Keycloak.
+
+## Installation
+
+Download the newest release JAR (or comile it yourself) and drop it into `your_keycloak_installation/standalone/deployments`
+
+There are a few steps you need to perform in the Keycloak Admin Console. Click the Authentication left menu item and go to the Flows tab. Select the Registration flow from the drop down list on this page.
+
+Registration Flow
+![Step 1](img/step-01.png)
+Make copy of the Registration flow, and add the hCaptcha execution to the Registration Form.
+
+hCaptcha Registration Flow
+![Step 2](img/step-02.png)
+Set the 'hCaptcha' requirement to Required by clicking the appropriate radio button. This will enable hCaptcha on the screen. Next, you have to enter in the hCaptcha site key and secret that you generated at the hCaptcha.com Website. Click on the 'Actions' button that is to the right of the hCaptcha flow entry, then "Config" link, and enter in the hCaptcha site key and secret on this config page.
+
+hCaptcha Config Page
+![Step 3](img/step-03.png)
+
+Now you have to do is to change some default HTTP response headers that Keycloak sets. Keycloak will prevent a website from including any login page within an iframe. This is to prevent clickjacking attacks. You need to authorize hCaptcha to use the registration page within an iframe. Go to the Realm Settings left menu item and then go to the Security Defenses tab. You will need to add https://newassets.hcaptcha.com to the values of both the X-Frame-Options and Content-Security-Policy headers.
+
+Authorizing Iframes
+![Step 4](img/step-04.png)
+
+To show the hCaptcha you need to modify the registration template. You can find the files in your Keycloak installation under `themes/base/login/`. If you use the user profile preview (you start your Keycloak with the `-Dkeycloak.profile=preview` flag), you need to edit the `register-user-profile.ftl`, else the `register.ftl`. Add the following code beneith the reCaptcha code:
+
+```
+<#if hcaptchaRequired??>
+    <div class="form-group">
+        <div class="${properties.kcInputWrapperClass!}">
+            <div class="h-captcha" data-size="<#if hcaptchaCompact?? && hcaptchaCompact=="true">compact<#else>normal</#if>" data-sitekey="${hcaptchaSiteKey}"></div>
+        </div>
+    </div>
+</#if>
+```
+
+Registration Template
+![Step 5](img/step-05.png)
+
+In the last step you have to change the registration flow to the newly created one and save. Once you do this, the hCaptcha shows on the registration page and protects your site from bots!
+
+Authentication Bindings
+![Step 6](img/step-06.png)
+
+## © License
+[MIT](LICENSE)

pom.xml

@@ -0,0 +1,46 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>de.itrupp.p8</groupId>
+  <artifactId>keycloak-hcaptcha</artifactId>
+  <version>1.0.0</version>
+  <name>Registration Authenitcation Execution Provider for hCaptcha</name>
+  <description>hCaptcha protects your users' privacy, rewards websites and helps businesses annotate their data. It's a 'drop in' replacement for reCAPTCHA that you set up in minutes.</description>
+  <packaging>jar</packaging>
+
+  <properties>
+	<version.keycloak>15.0.2</version.keycloak>
+    <maven.compiler.source>11</maven.compiler.source>
+    <maven.compiler.target>11</maven.compiler.target>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+  </properties>
+
+  <dependencies>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-core</artifactId>
+            <version>${version.keycloak}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-server-spi</artifactId>
+            <version>${version.keycloak}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-server-spi-private</artifactId>
+            <version>${version.keycloak}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-services</artifactId>
+            <version>${version.keycloak}</version>
+            <scope>provided</scope>
+        </dependency>
+  </dependencies>
+  <build>
+      <finalName>${project.artifactId}</finalName>
+  </build>
+</project>

src/main/java/de/itrupp/p8/keycloak/authenticator/RegistrationhCaptcha.java

@@ -0,0 +1,232 @@
+package de.itrupp.p8.keycloak.authenticator;
+
+import org.apache.http.NameValuePair;
+import org.apache.http.client.entity.UrlEncodedFormEntity;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.message.BasicNameValuePair;
+import org.apache.http.util.EntityUtils;
+import org.keycloak.Config.Scope;
+import org.keycloak.authentication.FormAction;
+import org.keycloak.authentication.FormActionFactory;
+import org.keycloak.authentication.FormContext;
+import org.keycloak.authentication.ValidationContext;
+import org.keycloak.connections.httpclient.HttpClientProvider;
+import org.keycloak.events.Details;
+import org.keycloak.events.Errors;
+import org.keycloak.forms.login.LoginFormsProvider;
+import org.keycloak.models.*;
+import org.keycloak.models.AuthenticationExecutionModel.Requirement;
+import org.keycloak.models.utils.FormMessage;
+import org.keycloak.provider.ProviderConfigProperty;
+import org.keycloak.services.ServicesLogger;
+import org.keycloak.services.messages.Messages;
+import org.keycloak.services.validation.Validation;
+import org.keycloak.util.JsonSerialization;
+
+import javax.ws.rs.core.MultivaluedMap;
+
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+
+public class RegistrationhCaptcha implements FormAction, FormActionFactory {
+    public static final String H_CAPTCHA_RESPONSE = "h-captcha-response";
+    public static final String HCAPTCHA_REFERENCE_CATEGORY = "hcaptcha";
+    public static final String SITE_KEY = "site.key";
+    public static final String SITE_SECRET = "secret";
+
+    public static final String PROVIDER_ID = "registration-hcaptcha-action";
+
+	@Override
+	public void close() {
+
+	}
+
+	@Override
+	public FormAction create(KeycloakSession session) {
+		return this;
+	}
+
+	@Override
+	public void init(Scope config) {
+
+	}
+
+	@Override
+	public void postInit(KeycloakSessionFactory factory) {
+
+	}
+
+	@Override
+	public String getId() {
+		return PROVIDER_ID;
+	}
+
+	@Override
+	public String getDisplayType() {
+		return "hCaptcha";
+	}
+
+	@Override
+	public String getReferenceCategory() {
+		return HCAPTCHA_REFERENCE_CATEGORY;
+	}
+
+	@Override
+	public boolean isConfigurable() {
+		return true;
+	}
+
+	private static AuthenticationExecutionModel.Requirement[] REQUIREMENT_CHOICES = {
+            AuthenticationExecutionModel.Requirement.REQUIRED,
+            AuthenticationExecutionModel.Requirement.DISABLED
+    };
+	@Override
+	public Requirement[] getRequirementChoices() {
+		return REQUIREMENT_CHOICES;
+	}
+
+	@Override
+	public boolean isUserSetupAllowed() {
+		return false;
+	}
+
+	@Override
+	public String getHelpText() {
+		return "Adds hCaptcha button.  hCaptchas verify that the entity that is registering is a human.  This can only be used on the internet and must be configured after you add it.";
+	}
+
+
+	@Override
+	public void buildPage(FormContext context, LoginFormsProvider form) {
+        AuthenticatorConfigModel captchaConfig = context.getAuthenticatorConfig();
+        String userLanguageTag = context.getSession().getContext().resolveLocale(context.getUser()).toLanguageTag();
+
+        if (captchaConfig == null || captchaConfig.getConfig() == null
+                || captchaConfig.getConfig().get(SITE_KEY) == null
+                || captchaConfig.getConfig().get(SITE_SECRET) == null
+                ) {
+            form.addError(new FormMessage(null, Messages.RECAPTCHA_NOT_CONFIGURED));
+            return;
+        }
+
+        String siteKey = captchaConfig.getConfig().get(SITE_KEY);
+        String compact = captchaConfig.getConfig().get("compact");
+        form.setAttribute("hcaptchaRequired", true);
+        form.setAttribute("hcaptchaCompact", compact);
+        form.setAttribute("hcaptchaSiteKey", siteKey);
+        form.addScript("https://js.hcaptcha.com/1/api.js?hl=" + userLanguageTag);
+
+	}
+
+	@Override
+	public void validate(ValidationContext context) {
+
+        MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
+        List<FormMessage> errors = new ArrayList<>();
+        boolean success = false;
+        context.getEvent().detail(Details.REGISTER_METHOD, "form");
+
+        String captcha = formData.getFirst(H_CAPTCHA_RESPONSE);
+        if (!Validation.isBlank(captcha)) {
+            AuthenticatorConfigModel captchaConfig = context.getAuthenticatorConfig();
+            String secret = captchaConfig.getConfig().get(SITE_SECRET);
+
+            success = validateRecaptcha(context, success, captcha, secret);
+        }
+        if (success) {
+            context.success();
+        } else {
+            errors.add(new FormMessage(null, Messages.RECAPTCHA_FAILED));
+            formData.remove(H_CAPTCHA_RESPONSE);
+            context.error(Errors.INVALID_REGISTRATION);
+            context.validationError(formData, errors);
+            context.excludeOtherErrors();
+            return;
+
+        }
+
+	}
+
+
+    protected boolean validateRecaptcha(ValidationContext context, boolean success, String captcha, String secret) {
+        CloseableHttpClient httpClient = context.getSession().getProvider(HttpClientProvider.class).getHttpClient();
+        HttpPost post = new HttpPost("https://hcaptcha.com/siteverify");
+        List<NameValuePair> formparams = new LinkedList<>();
+        formparams.add(new BasicNameValuePair("secret", secret));
+        formparams.add(new BasicNameValuePair("response", captcha));
+        formparams.add(new BasicNameValuePair("remoteip", context.getConnection().getRemoteAddr()));
+        try {
+            UrlEncodedFormEntity form = new UrlEncodedFormEntity(formparams, "UTF-8");
+            post.setEntity(form);
+            try (CloseableHttpResponse response = httpClient.execute(post)) {
+                InputStream content = response.getEntity().getContent();
+                try {
+                    @SuppressWarnings("rawtypes")
+					Map json = JsonSerialization.readValue(content, Map.class);
+                    Object val = json.get("success");
+                    success = Boolean.TRUE.equals(val);
+                } finally {
+                    EntityUtils.consumeQuietly(response.getEntity());
+                }
+            }
+        } catch (Exception e) {
+            ServicesLogger.LOGGER.recaptchaFailed(e);
+        }
+        return success;
+    }
+
+	@Override
+	public void success(FormContext context) {
+
+	}
+
+	@Override
+	public boolean requiresUser() {
+		return false;
+	}
+
+	@Override
+	public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) {
+		return true;
+	}
+
+	@Override
+	public void setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user) {
+
+	}
+
+    private static final List<ProviderConfigProperty> CONFIG_PROPERTIES = new ArrayList<ProviderConfigProperty>();
+
+    static {
+        ProviderConfigProperty property;
+        property = new ProviderConfigProperty();
+        property.setName(SITE_KEY);
+        property.setLabel("hCaptcha Site Key");
+        property.setType(ProviderConfigProperty.STRING_TYPE);
+        property.setHelpText("hCaptcha Site Key");
+        CONFIG_PROPERTIES.add(property);
+        property = new ProviderConfigProperty();
+        property.setName(SITE_SECRET);
+        property.setLabel("hCaptcha Secret");
+        property.setType(ProviderConfigProperty.STRING_TYPE);
+        property.setHelpText("hCaptcha Secret");
+        CONFIG_PROPERTIES.add(property);
+        property = new ProviderConfigProperty();
+        property.setName("compact");
+        property.setLabel("hCaptcha Compact");
+        property.setType(ProviderConfigProperty.BOOLEAN_TYPE);
+        property.setHelpText("Compact format");
+        CONFIG_PROPERTIES.add(property);
+    }
+
+	@Override
+	public List<ProviderConfigProperty> getConfigProperties() {
+		return CONFIG_PROPERTIES;
+	}
+
+}

src/main/resources/META-INF/jboss-deployment-structure.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jboss-deployment-structure>
+    <deployment>
+        <module-alias name="deployment.keycloak-hcaptcha"/>
+        <dependencies>
+            <module name="org.keycloak.keycloak-services"/>
+        </dependencies>
+    </deployment>
+</jboss-deployment-structure>

src/main/resources/META-INF/services/org.keycloak.authentication.FormActionFactory

@@ -0,0 +1 @@
+de.itrupp.p8.keycloak.authenticator.RegistrationhCaptcha