Oracle APEX and Google reCAPTCHA v3 integration

Integrating Google reCaptcha v3 into Oracle APEX involves several steps to ensure that your application can verify if user interactions are legitimate. Google reCAPTCHA v3 will never interrupt your users, so you can run it whenever you like without affecting conversion in your Oracle APEX application.

Key Points

• No user interaction: reCAPTCHA v3 operates in the background, meaning users don't need to click checkboxes, select images, or solve puzzles.

  • reCAPTCHA v2

• reCAPTCHA v3

• Score-based validation: The system returns a score indicating the likelihood that the interaction is from a human rather than a bot.

• Step 1. Obtain reCAPTCHA keys

• Step 2. Store reCAPTCHA keys in APEX

• Step 3. Initialize reCAPTCHA on the Page

• Step 4. Create page items for Token and Message

• Step 5. Server-Side Validation

• Step 6. Adjust Login Process Condition

• Handle Errors and Score Validation

Step 1. Obtain reCAPTCHA keys

1. Log in to your Google reCAPTCHA Admin Console

https://www.google.com/recaptcha/admin/

2. From the console page click the “+” icon.

2. Select a name to identify your site, choose “Score based(v3)” radio option, and enter your domain. Then click the SUBMIT button.

3. Your keys have been generated, keep them ready for the next step. Store de SECRET KEY securely.

Step 2. Store reCAPTCHA keys in APEX

1. Pick Substitutions tab in your APEX application definition and create two Substitutions Strings, RECAPTCHAV3_SITE_KEY and RECAPTCHAV3_SECRETE_KEY, to store the reCAPTCHA keys. Click in Apply Changes button.

Instead of substitutions strings you can use application settings.

Step 3. Initialize reCAPTCHA on the Page

1. Add the reCAPTCHA JavaScript to your login page (or any page where you want to verify user interaction).

JavaScript, File URLs

https://www.google.com/recaptcha/api.js?render=&RECAPTCHAV3_SITE_KEY.

JavaScript, Execute when Page Loads

grecaptcha.ready(function() {
grecaptcha.execute('&RECAPTCHAV3_SITE_KEY.', {action: 'action_name'})
    .then(function(token) {
        apex.item ("P9999_TOKEN").setValue (token);
    });
});

Step 4. Create page items for Token and Message

1. Add items to hold the reCAPTCHA token (P9999_TOKEN) and any messages (P0_MESSAGE) for validation feedback.

Page: 9999

Item: P9999_TOKEN

Type: Hidden

---

Page: 0

Item: P0_MESSAGE

Type: Text Field

Label: Message reCAPTCHA

Server-side Condition: Current Page = Page 1

Step 5. Server Side Validation

Create a page process in page 9999 to verify the reCAPTCHA token by calling Google's verification endpoint. Here's an example of what the PL/SQL might look like:

declare 
    l_response clob; 
    l_success boolean; 
    l_score number; 
    lt_parm_names apex_application_global.vc_arr2; 
    lt_parm_values apex_application_global.vc_arr2; 
begin 

    -- Call to Google's verification endpoint 
    apex_web_service.set_request_headers (
        p_name_01 => 'Content-Type', 
        p_value_01 => 'application/x-www-form-urlencoded', 
        p_reset => TRUE);

    lt_parm_names(1) := 'secret'; 
    lt_parm_values(1) := v('RECAPTCHAV3_SECRET_KEY'); 

    lt_parm_names(2) := 'response'; 
    lt_parm_values(2) := :P9999_TOKEN; 

    lt_parm_names(3) := 'remoteip'; 
    lt_parm_values(3) := owa_util.get_cgi_env('REMOTE_ADDR');

    l_response := apex_web_service.make_rest_request( 
        p_url => 'https://www.google.com/recaptcha/api/siteverify', 
        p_http_method => 'POST', 
        p_parm_name => lt_parm_names, 
        p_parm_value => lt_parm_values );

    -- Parse JSON response to get success status and score 
    apex_json.parse(l_response); 
    l_success := apex_json.get_boolean(p_path => 'success'); 
    l_score := apex_json.get_number(p_path => 'score');

    -- Decide based on score or success 
    if l_success and l_score >= 0.5 then -- Adjust the threshold as needed 
        :P0_MESSAGE := 'Human verified with score = ' || l_score; 
    else 
        :P0_MESSAGE := 'Verification failed'; 
    end if; 
end;

Step 6. Adjust Login Process Condition

Modify the condition on your login process to check the reCAPTCHA validation result before allowing login.

Step 7. Handle Errors and Score Validation

Implement logic to interpret the reCAPTCHA score. Google suggests a default threshold of 0.5, but you might adjust this based on your application's security needs.

Execution

Once you execute your application a Google reCAPTCHA logo appears in the login page.

Enter your valid username and password. Page 1 shows the validation message:

This article is based on this post by Lino Schilde http://lschilde.blogspot.com/2019/02/oracle-apex-and-google-recaptcha-v3_8.html