This article explains whether there is a way to either force a specific user account to always trigger a captcha on login OR if there is some additional parameter the auth0.js login request could be given to respond with an error that triggers the captcha to load.
Assuming all the necessary code changes have been added to the login page to execute the CAPTCHA, there is an indirect way to manually trigger the CAPTCHA by configuring it to the When Risky status.
- Make code changes as required in the Custom Auth0 login page for the CAPTCHA enablement.
- Enable CAPTCHA on the Auth0 side on the tenant level.
- Go to Auth0 Dashboard > Attack protection > Bot detection > Response > Enforce CAPTCHA On → Set it to : When Risky
To test this, spoof the User-agent header of the browser. Set the value of the User-agent to BadBadUserAgent.
How to spoof the user agent
- Go to the developer tools of the Chrome browser and select the extra options highlighted below:
- Select More tools > Network conditions
- Uncheck Use browser default and set the custom value: BadBadUserAgent
- Press the Update button at the bottom
Once this is done, please call the /authorize endpoint to load the login page and the CAPTCHA should be visible.