Wednesday, October 14, 2015

Captcha Verification in User Information Recovery Flows of WSO2 Identity Server

In WSO2 Identity Server, when using User Information Recovery Admin Service [1], there are some flows like ‘Recover with Notification’ where we need to call a set of operations in sequence. In order to call one operation, we may need to provide captcha details for human verification. This blog post discusses how to use captcha verification when you try out the operations using Admin Services that needs captcha verification. For this demonstration, I am using WSO2 Identity Server 5.0.0 version with Service Pack 1 installed.

The captcha verification can be handled by Identity Server itself or let a 3rd party application to handle it. If you need to let Identity Server handle captcha verification, you need to set the following property in  IS_HOME/repository/conf/security/ file.


Here for demonstrating captcha verification, I am calling the getCaptcha method in UserInformationRecoveryService [1]. Following is the SOAP request I need to send.

<soapenv:Envelope xmlns:soapenv="" xmlns:ser="">

In response I get the following SOAP message.

<soapenv:Envelope xmlns:soapenv="">
     <ns:getCaptchaResponse xmlns:ns="">
        <ns:return xsi:type="ax2295:CaptchaInfoBean" xmlns:ax2293="" xmlns:ax2295="" xmlns:ax2297="" xmlns:ax2298="" xmlns:xsi="" xmlns:ax2301="">
           <ax2295:userAnswer xsi:nil="true"/>

From the above response, we need the imagePath and the secretKey


When we know the imagePath, we can access the captcha image from a URL like https://<HOST_NAME>:<PORT>/<IMAGE_PATH>.

An example is below.

Then you can view the captcha image.

In User Information Recovery flows, when we need to send captcha details for verification, we need to provide the imagePath, secretKey and userAnswer. Both imagePath and secretKey were contained in the response of getCaptcha method. The userAnswer is the text or the characters displayed in the captcha image.

In this scenario, when we need to send captcha details in a SOAP request, the captcha details need to be sent as following.


An example for sending captcha details is when calling the verifyConfirmationCode method in UserInformationRecoveryService.

<soapenv:Envelope xmlns:soapenv="" xmlns:ser="" xmlns:xsd="">
        <ser:captcha>            <xsd:imagePath>registry/resource/_system/config/repository/components/org.wso2.carbon.captcha-images/dc832c96-3ed2-45e2-adfe-fcb0ef341ce3.jpg</xsd:imagePath>

Similarly, when you try out different User Information Recovery flows, when you need to send captcha details, you can follow these steps to get to know the captcha details that should be sent for calling the operations.


Tharindu Edirisinghe
Identity Server Team

No comments:

Post a Comment