[SDK-2970] Remove captcha for enterprise SSO connections #2071
Conversation
| l.captcha(lock) && l.captcha(lock).get('required') ? ( | ||
| l.captcha(lock) && | ||
| l.captcha(lock).get('required') && | ||
| (isHRDDomain(lock, databaseUsernameValue(lock)) || !sso) ? ( |
There was a problem hiding this comment.
This is the real crux of the change - showing captcha if required, but also for ADFS SSO connections only (other SSO connections should hide the Captcha).
| expectShallowComponent(<Component {...defaultProps} />).toMatchSnapshot(); | ||
| }); | ||
|
|
||
| it('shows the Captcha pane for SSO (ADFS) connections', () => { |
There was a problem hiding this comment.
Another one that goes thru the same endpoint and is enterprise is the "ad" strategy... Are we also handling that case?
There was a problem hiding this comment.
The logic here relies on the result of isHRDDomain, which looks like it checks both the ad and auth0-adldap strategies:
lock/src/connection/enterprise.js
Line 142 in c692eb6
Is this sufficient?
|
Hi team, Mercado Libre is evaluating Bot Detection, their use case is B2E, and they have one AD connection to validate users. Does Bot Detection support for non Auth0 DB connections? They are using lock.js, and we tried with the default lock.js template, and it didn’t work with an AD connection. Is that related to this change? |
|
Looks like we don't show the captcha when only a DB connection is enabled. Opened ESD-17783. |
|
Thanks @sergioaguirreok, @thameera, I have raised #2096 to fix this. |
Changes
This PR hides the Captcha for enterprise (non-ADFS) SSO connections. As the user is redirected to another vendor to input their password, having a Captcha here makes no sense and is not validated by Auth0 server anyway. However, leaving it in place is an awkward experience, as it looks like the Captcha can be bypassed (you can enter a random value and it still works).
This PR also rolls in #2065, which has now been closed.
References
SDK-2970(internal support ticket)Testing
Checklist