Last Updated: Aug 20, 2024
Overview
This article explains whether there is a way to either force a specific user account always to trigger a captcha on login or some additional parameter the auth0.js login request could be given to respond with an error that triggers the captcha to load.
Applies To
- Captcha
Solution
Assuming all the necessary code changes have been added to the login page to execute the CAPTCHA, there is an indirect way to manually trigger the CAPTCHA by configuring it to the When Risky status.
- Make code changes as required in the Custom Auth0 login page for the CAPTCHA enablement.
- Enable CAPTCHA on the Auth0 side on the tenant level.
- Go to Auth0 Dashboard > Attack protection > Bot detection > Response > Enforce CAPTCHA On > Set it to : When Risky
To test this, spoof the User-agent header of the browser. Set the value of the User-agent to BadBadUserAgent.
How to spoof the user agent:
-
Go to the developer tools of the Chrome browser and select the extra options highlighted below:
-
Select More tools > Network conditions.
-
Uncheck Use browser default and set the custom value: BadBadUserAgent.
-
Press the Update button at the bottom.
Once this is done, please call the /authorize endpoint to load the login page, and the CAPTCHA should be visible.
Note: When testing with Auth Challenge, the behavior may differ. HTTP status codes like 401 or 403 may be received as part of the expected response.