Use Recaptcha Enterprise with Azure B2C Custom Policies using the unifiedssp page

Question

We wanted to implement ReCATPCHA Enterprise in our Azure B2C setup. ReCAPTCHA works by inserting a hidden input field in the login form. Once submitted we readout this value and send a request to google for the ReCAPTCHA assessment. If the assessment has a high enough score we allow to user to continue. Because adding a custom input field can be done with the selfasserted page we used that for our login page.

 <ContentDefinition Id="api.signuporsignin">
     <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>
     <RecoveryUri>~/common/default_page_error.html</RecoveryUri>
     <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>
     <Metadata>
        <Item Key="DisplayName">Collect information from user page</Item>
     </Metadata>
 </ContentDefinition>

Now we are facing issues with the password reset flow. After looking at the starterpack again we noticed that in there the localaccountsigninsignup uses the unifiedssp page:

<ContentDefinition Id="api.signuporsignin">
     <LoadUri>~/tenant/templates/AzureBlue/unified.cshtml</LoadUri>
     <RecoveryUri>~/common/default_page_error.html</RecoveryUri>
     <DataUri>urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.5</DataUri>
     <Metadata>
       <Item Key="DisplayName">Signin and Signup</Item>
     </Metadata>
</ContentDefinition>

Would it be possible to include a hidden input field in the form used on the unifiedssp page to include the ReCAPTCHA token? Because we are not able to at the moment. Whenever we use javascript to include this field B2C does not seem able to read the value and insert it in a custom claim. The custom claim remains empty with the unifiedssp page after form submission

Answer 1

No answer to your question, but to give some more context! We hoped that there other ways to implement recaptcha v3 in B2C because the issue that we face when using the selfasserted flow is that our clients expect the token that we get after the pw reset flow to be issued via the 'B2C_1A_signin' policy and not via our custom 'B2C_1A_password_reset' policy.

That's way we are now forced to move from the selfasserted datauri to the unifiedssp. But then recaptcha doesn't work anymore. In addition, MS themselves recommends using the Self-service password reset also. So hopefully someone has an example of implementation where that has already been done.