Introduce Google reCaptcha alternatives for IAM products

[KaveeshaPiumini]

Purpose

1. This PR improves the existing Google reCaptcha implementation by refactoring it to automatically bind the challenge to a button without calling grecaptcha.execute() method when required.
2. This PR refactors the captcha provider to dynamically render the captcha provider related UI components without the knowledge of the configured captcha provider. Previously google recaptcha, captcha provider engagement points were hardcoded where necessary.

Related Issues

• Google reCaptcha alternatives for IAM products product-is#23985

Merge After

• Introduce abstract captcha provider based implementation for Google ReCaptcha wso2-extensions/identity-governance#967

Related PRs

• Introduce abstract captcha provider based implementation for Google ReCaptcha wso2-extensions/identity-governance#967
• Introduce Google reCaptcha alternatives for IAM products  #8199
• Update to obtain captcha configurations from Captcha Config Service wso2-extensions/identity-local-auth-basicauth#235

[wso2-jenkins-bot]

⚠️ No Changeset found

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go.

If these changes should result in a version bump, you need to add a changeset.

Refer Release Documentation to learn how to add a changeset.

[DilshanSenarath]

Suggested change

	if (scriptAttributesList != null) {
	for (Map<String, String> scriptAttributes : scriptAttributesList) {
	if (scriptAttributesList != null) {
	for (Map<String, String> scriptAttributes : scriptAttributesList) {

[Copilot]

Pull Request Overview

This PR refactors the existing Google reCaptcha integration in various authentication and recovery JSP pages to a dynamic implementation using CaptchaFEUtils. Key changes include:

• Replacing hardcoded reCaptcha API URLs, keys, and response parameters with dynamic values from CaptchaFEUtils.
• Consistent rendering of captcha-related script and widget HTML using data from CaptchaFEUtils.
• Updating header and form submission logic across multiple JSP files to support the new captcha integration.

Reviewed Changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
self-registration-without-verification.jsp	Replaces reCaptcha API/script inclusion and widget attributes with dynamic CaptchaFEUtils values.
self-registration-with-verification.jsp	Updates captcha headers and widget rendering using CaptchaFEUtils in place of reCaptchaUtil calls.
self-registration-username-request.jsp	Switches captcha header addition from reCaptcha to CaptchaFEUtils.
password-recovery.jsp and related recovery pages	Dynamically injects captcha script attributes and response identifiers using CaptchaFEUtils.
resend-confirmation-captcha.jsp, login.jsp, identifierauth.jsp, basicauth.jsp	Refactors captcha widget rendering, form submission, and reset functionality to use CaptchaFEUtils.

Comments suppressed due to low confidence (1)

identity-apps-core/apps/authentication-portal/src/main/webapp/identifierauth.jsp:348

• [nitpick] Ensure that all instances where the captcha site key is rendered (for example, in the identifierauth.jsp file) have been thoroughly tested to guarantee that the dynamic CaptchaFEUtils values are correctly injected and that the resulting HTML complies with the expected widget behavior.

data-sitekey="<%=Encode.forHtmlContent(captchaKey)%>"

[Copilot]

It appears that the captcha reset function is being retrieved but not invoked. Please ensure that the reset function is correctly called (for example, by appending '()' if it’s a callable function) to properly reset the captcha UI on subsequent submissions.

Suggested change

	CaptchaFEUtils.getCaptchaFunctions().get("reset");
	CaptchaFEUtils.getCaptchaFunctions().get("reset")();

[KaveeshaPiumini]

CaptchaFEUtils.getCaptchaFunctions() returns a Map<String, String>, so get("reset") returns the function name as a string, not a callable. We’re just retrieving the function name here to be used in the frontend, not invoking it. Calling get("reset")() would throw an error since the value is a string, not a function.

[NipuniBhagya]

Shall we rename this util to CaptchaUIUtils?

[NipuniBhagya]

Let's move the reusable logics to a utils or helpers.

[KaveeshaPiumini]

In this case, moving the logic to a helper or utility isn't straightforward because the code is tightly coupled with dynamic HTML rendering inside the JSP. Unlike JavaScript or modern templating engines, JSP doesn’t support returning reusable fragments easily — helpers would have to return raw HTML strings or write directly to the output stream, which is messy and not cleanly maintainable. While we could create custom JSP tags or tag files for better separation, that introduces additional complexity and multiple files just to handle small, context-specific logic blocks. Given that, keeping the current logic inline avoids overengineering and remains easier to follow for now in my point of view.

[NipuniBhagya]

Let's remove any unnecessary logs