IBM Security Verify

 View Only
  • 1.  ISAM User Self Care Cookbook - facing reCAPTCHA issue

    Posted Wed July 22, 2020 12:48 PM
    Hi All,

    I have been following the ISAM MMFA cookbook and ISAM User Self care cookbook from the security learning.
    In both of the cookbooks, there are steps to configure the reCAPTCHA.

    Using the API key and API Secret generated via https://www.google.com/recaptcha/admin

    It works fine for me for ISAM MMFA Use cases. However, reCAPTCHA is not being shown at all for ISAM User Self care pages.

    The other thing that I observed that, In MMFA use cases, a separate workflow step has been configured under Authentication Policy as reCAPTCHA Verification. But there is no workflow step with USC Lost ID policy and managed via script in login page. And It's a default policy and not able to edit.

    any inputs or suggestions on why reCAPTCHA is not being shown on USC pages?

    Thanks in advance.

    ------------------------------
    Prashant Narkhede
    ------------------------------


  • 2.  RE: ISAM User Self Care Cookbook - facing reCAPTCHA issue

    Posted Thu July 23, 2020 04:51 AM
    Hi Prashant,

    If the reCaptcha is failing to be displayed on the web page, that seems strange as that is managed by the browser (based on the reCaptcha JavaScript in the page source).  In that case I would load the pages with browser dev tools enabled to see if you can see whether the browser attempts to load the reCaptcha and, if so, what error is being returned.

    Perhaps there is some difference in the security properties of the pages so that one is preventing the running of the reCaptcha script or the calling out to Google.  Again, browser dev tools console should tell you if that is happening.

    More usually, reCaptcha fails when trying to validate the completion. That is a back-channel call from AAC to Google.  The most common issue there is Certificate issues.  Are the working (MMFA) use-case and the failing (USC) use-case both running in the same environment (i.e. same AAC runtime)?  If not, perhaps one is missing required certificate.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: ISAM User Self Care Cookbook - facing reCAPTCHA issue

    Posted Thu July 23, 2020 05:11 AM

    Hi Jon,

    Thank you for your help.
    From the Brower Dev tool, I observed that the below error is shown.

    The resource from "https://www.mmfa.ibm.com/google/recaptcha/api.js" was blocked due to MIME type ("text/html") mismatch (X-Content-Type-Options: nosniff).

    I am playing with ISAM with various junctions and I had junction for google created on same reverse proxy instance which was blocking this api.js to be loaded.

    When I deleted the google junction, I could see the reCAPTCHA. :)



    ------------------------------
    Prashant Narkhede
    ------------------------------



  • 4.  RE: ISAM User Self Care Cookbook - facing reCAPTCHA issue

    Posted Thu July 23, 2020 06:28 AM
    Hi Prashant,

    If you had a standard junction with Google (www.google.com) as the backend server, the Reverse Proxy was probably seeing the link to https://www.google.com/recaptcha/api.js in the USC page and re-writing it to make it use the junction.  That is standard function of Reverse Proxy.

    By removing the junction you stopped this behaviour.  Request for api.js goes direct to Google as it should.  Problem solved.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------