From 465010ea01ba5e57274127b3b99092e4602048a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simonyi=20Gerg=C5=91?= <gergo@goauthentik.io>
Date: Wed, 4 Sep 2024 11:13:44 +0200
Subject: [PATCH 01/14] add captcha to identification stage

---
 authentik/flows/tests/test_inspector.py       |  1 +
 authentik/stages/captcha/stage.py             | 72 +++++++++--------
 authentik/stages/identification/api.py        |  2 +
 .../0015_identificationstage_captcha_stage.py | 26 ++++++
 authentik/stages/identification/models.py     | 14 ++++
 authentik/stages/identification/stage.py      | 25 +++++-
 authentik/stages/identification/tests.py      | 79 +++++++++++++++++++
 blueprints/schema.json                        |  5 ++
 schema.yml                                    | 28 +++++++
 .../identification/IdentificationStageForm.ts | 36 +++++++++
 web/src/flow/stages/captcha/CaptchaStage.ts   | 36 +++++----
 .../identification/IdentificationStage.ts     | 18 ++++-
 .../stages/identification/index.md            |  6 +-
 13 files changed, 296 insertions(+), 52 deletions(-)
 create mode 100644 authentik/stages/identification/migrations/0015_identificationstage_captcha_stage.py

diff --git a/authentik/flows/tests/test_inspector.py b/authentik/flows/tests/test_inspector.py
index 2a01ea370c7a..81a04a797bb6 100644
--- a/authentik/flows/tests/test_inspector.py
+++ b/authentik/flows/tests/test_inspector.py
@@ -46,6 +46,7 @@ def test(self):
             res.content,
             {
                 "allow_show_password": False,
+                "captcha_stage": None,
                 "component": "ak-stage-identification",
                 "flow_info": {
                     "background": flow.background_url,
diff --git a/authentik/stages/captcha/stage.py b/authentik/stages/captcha/stage.py
index 3967e6d3d399..8b9018de229a 100644
--- a/authentik/stages/captcha/stage.py
+++ b/authentik/stages/captcha/stage.py
@@ -27,6 +27,43 @@ class CaptchaChallenge(WithUserInfoChallenge):
     component = CharField(default="ak-stage-captcha")
 
 
+def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str):
+    """Validate captcha token"""
+    try:
+        response = get_http_session().post(
+            stage.api_url,
+            headers={
+                "Content-type": "application/x-www-form-urlencoded",
+            },
+            data={
+                "secret": stage.private_key,
+                "response": token,
+                "remoteip": remote_ip,
+            },
+        )
+        response.raise_for_status()
+        data = response.json()
+        if stage.error_on_invalid_score:
+            if not data.get("success", False):
+                raise ValidationError(
+                    _(
+                        "Failed to validate token: {error}".format(
+                            error=data.get("error-codes", _("Unknown error"))
+                        )
+                    )
+                )
+            if "score" in data:
+                score = float(data.get("score"))
+                if stage.score_max_threshold > -1 and score > stage.score_max_threshold:
+                    raise ValidationError(_("Invalid captcha response"))
+                if stage.score_min_threshold > -1 and score < stage.score_min_threshold:
+                    raise ValidationError(_("Invalid captcha response"))
+    except (RequestException, TypeError) as exc:
+        raise ValidationError(_("Failed to validate token")) from exc
+
+    return data
+
+
 class CaptchaChallengeResponse(ChallengeResponse):
     """Validate captcha token"""
 
@@ -36,38 +73,9 @@ class CaptchaChallengeResponse(ChallengeResponse):
     def validate_token(self, token: str) -> str:
         """Validate captcha token"""
         stage: CaptchaStage = self.stage.executor.current_stage
-        try:
-            response = get_http_session().post(
-                stage.api_url,
-                headers={
-                    "Content-type": "application/x-www-form-urlencoded",
-                },
-                data={
-                    "secret": stage.private_key,
-                    "response": token,
-                    "remoteip": ClientIPMiddleware.get_client_ip(self.stage.request),
-                },
-            )
-            response.raise_for_status()
-            data = response.json()
-            if stage.error_on_invalid_score:
-                if not data.get("success", False):
-                    raise ValidationError(
-                        _(
-                            "Failed to validate token: {error}".format(
-                                error=data.get("error-codes", _("Unknown error"))
-                            )
-                        )
-                    )
-                if "score" in data:
-                    score = float(data.get("score"))
-                    if stage.score_max_threshold > -1 and score > stage.score_max_threshold:
-                        raise ValidationError(_("Invalid captcha response"))
-                    if stage.score_min_threshold > -1 and score < stage.score_min_threshold:
-                        raise ValidationError(_("Invalid captcha response"))
-        except (RequestException, TypeError) as exc:
-            raise ValidationError(_("Failed to validate token")) from exc
-        return data
+        client_ip = ClientIPMiddleware.get_client_ip(self.stage.request)
+
+        return verify_captcha_token(stage, token, client_ip)
 
 
 class CaptchaStageView(ChallengeStageView):
diff --git a/authentik/stages/identification/api.py b/authentik/stages/identification/api.py
index 9ad97320e87b..c8de2d74364c 100644
--- a/authentik/stages/identification/api.py
+++ b/authentik/stages/identification/api.py
@@ -27,6 +27,7 @@ class Meta:
         fields = StageSerializer.Meta.fields + [
             "user_fields",
             "password_stage",
+            "captcha_stage",
             "case_insensitive_matching",
             "show_matched_user",
             "enrollment_flow",
@@ -46,6 +47,7 @@ class IdentificationStageViewSet(UsedByMixin, ModelViewSet):
     filterset_fields = [
         "name",
         "password_stage",
+        "captcha_stage",
         "case_insensitive_matching",
         "show_matched_user",
         "enrollment_flow",
diff --git a/authentik/stages/identification/migrations/0015_identificationstage_captcha_stage.py b/authentik/stages/identification/migrations/0015_identificationstage_captcha_stage.py
new file mode 100644
index 000000000000..734dc7631cea
--- /dev/null
+++ b/authentik/stages/identification/migrations/0015_identificationstage_captcha_stage.py
@@ -0,0 +1,26 @@
+# Generated by Django 5.0.8 on 2024-08-29 11:31
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_stages_captcha", "0003_captchastage_error_on_invalid_score_and_more"),
+        ("authentik_stages_identification", "0014_identificationstage_pretend"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="identificationstage",
+            name="captcha_stage",
+            field=models.ForeignKey(
+                default=None,
+                help_text="When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_NULL,
+                to="authentik_stages_captcha.captchastage",
+            ),
+        ),
+    ]
diff --git a/authentik/stages/identification/models.py b/authentik/stages/identification/models.py
index 27cfcb92f1ea..ed6728c9327a 100644
--- a/authentik/stages/identification/models.py
+++ b/authentik/stages/identification/models.py
@@ -8,6 +8,7 @@
 
 from authentik.core.models import Source
 from authentik.flows.models import Flow, Stage
+from authentik.stages.captcha.models import CaptchaStage
 from authentik.stages.password.models import PasswordStage
 
 
@@ -43,6 +44,19 @@ class IdentificationStage(Stage):
         ),
     )
 
+    captcha_stage = models.ForeignKey(
+        CaptchaStage,
+        null=True,
+        default=None,
+        on_delete=models.SET_NULL,
+        help_text=_(
+            (
+                "When set, adds functionality exactly like a Captcha stage, but baked into the "
+                "Identification stage."
+            ),
+        ),
+    )
+
     case_insensitive_matching = models.BooleanField(
         default=True,
         help_text=_("When enabled, user fields are matched regardless of their casing."),
diff --git a/authentik/stages/identification/stage.py b/authentik/stages/identification/stage.py
index dffd119da9a5..50fbc16238e8 100644
--- a/authentik/stages/identification/stage.py
+++ b/authentik/stages/identification/stage.py
@@ -29,6 +29,7 @@
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.lib.utils.urls import reverse_with_qs
 from authentik.root.middleware import ClientIPMiddleware
+from authentik.stages.captcha.stage import CaptchaChallenge, verify_captcha_token
 from authentik.stages.identification.models import IdentificationStage
 from authentik.stages.identification.signals import identification_failed
 from authentik.stages.password.stage import authenticate
@@ -75,6 +76,7 @@ class IdentificationChallenge(Challenge):
     allow_show_password = BooleanField(default=False)
     application_pre = CharField(required=False)
     flow_designation = ChoiceField(FlowDesignation.choices)
+    captcha_stage = CaptchaChallenge(required=False)
 
     enroll_url = CharField(required=False)
     recovery_url = CharField(required=False)
@@ -91,14 +93,16 @@ class IdentificationChallengeResponse(ChallengeResponse):
 
     uid_field = CharField()
     password = CharField(required=False, allow_blank=True, allow_null=True)
+    token = CharField(required=False, allow_blank=True, allow_null=True)
     component = CharField(default="ak-stage-identification")
 
     pre_user: User | None = None
 
     def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
-        """Validate that user exists, and optionally their password"""
+        """Validate that user exists, and optionally their password and captcha token"""
         uid_field = attrs["uid_field"]
         current_stage: IdentificationStage = self.stage.executor.current_stage
+        client_ip = ClientIPMiddleware.get_client_ip(self.stage.request)
 
         pre_user = self.stage.get_user(uid_field)
         if not pre_user:
@@ -113,7 +117,7 @@ def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
             self.stage.logger.info(
                 "invalid_login",
                 identifier=uid_field,
-                client_ip=ClientIPMiddleware.get_client_ip(self.stage.request),
+                client_ip=client_ip,
                 action="invalid_identifier",
                 context={
                     "stage": sanitize_item(self.stage),
@@ -136,6 +140,15 @@ def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
                 return attrs
             raise ValidationError("Failed to authenticate.")
         self.pre_user = pre_user
+
+        # Captcha check
+        if captcha_stage := current_stage.captcha_stage:
+            token = attrs.get("token", None)
+            if not token:
+                self.stage.logger.warning("Token not set for captcha attempt")
+            verify_captcha_token(captcha_stage, token, client_ip)
+
+        # Password check
         if not current_stage.password_stage:
             # No password stage select, don't validate the password
             return attrs
@@ -206,6 +219,14 @@ def get_challenge(self) -> Challenge:
                 "primary_action": self.get_primary_action(),
                 "user_fields": current_stage.user_fields,
                 "password_fields": bool(current_stage.password_stage),
+                "captcha_stage": (
+                    {
+                        "js_url": current_stage.captcha_stage.js_url,
+                        "site_key": current_stage.captcha_stage.public_key,
+                    }
+                    if current_stage.captcha_stage
+                    else None
+                ),
                 "allow_show_password": bool(current_stage.password_stage)
                 and current_stage.password_stage.allow_show_password,
                 "show_source_labels": current_stage.show_source_labels,
diff --git a/authentik/stages/identification/tests.py b/authentik/stages/identification/tests.py
index 57ffed12839b..6f905feb4f3e 100644
--- a/authentik/stages/identification/tests.py
+++ b/authentik/stages/identification/tests.py
@@ -1,6 +1,7 @@
 """identification tests"""
 
 from django.urls import reverse
+from requests_mock import Mocker
 from rest_framework.exceptions import ValidationError
 
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
@@ -8,6 +9,8 @@
 from authentik.flows.tests import FlowTestCase
 from authentik.lib.generators import generate_id
 from authentik.sources.oauth.models import OAuthSource
+from authentik.stages.captcha.models import CaptchaStage
+from authentik.stages.captcha.tests import RECAPTCHA_PRIVATE_KEY, RECAPTCHA_PUBLIC_KEY
 from authentik.stages.identification.api import IdentificationStageSerializer
 from authentik.stages.identification.models import IdentificationStage, UserFields
 from authentik.stages.password import BACKEND_INBUILT
@@ -133,6 +136,82 @@ def test_invalid_with_password_pretend(self):
             user_fields=["email"],
         )
 
+    @Mocker()
+    def test_valid_with_captcha(self, mock: Mocker):
+        """Test with valid email and captcha token in single step"""
+        mock.post(
+            "https://www.recaptcha.net/recaptcha/api/siteverify",
+            json={
+                "success": True,
+                "score": 0.5,
+            },
+        )
+
+        captcha_stage = CaptchaStage.objects.create(
+            name="captcha",
+            public_key=RECAPTCHA_PUBLIC_KEY,
+            private_key=RECAPTCHA_PRIVATE_KEY,
+        )
+        self.stage.captcha_stage = captcha_stage
+        self.stage.save()
+
+        form_data = {"uid_field": self.user.email, "token": "PASSED"}
+        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+        response = self.client.post(url, form_data)
+        self.assertEqual(response.status_code, 200)
+        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
+
+    @Mocker()
+    def test_invalid_with_captcha(self, mock: Mocker):
+        """Test with valid email and invalid captcha token in single step"""
+        mock.post(
+            "https://www.recaptcha.net/recaptcha/api/siteverify",
+            json={
+                "success": False,
+                "score": 0.5,
+            },
+        )
+
+        captcha_stage = CaptchaStage.objects.create(
+            name="captcha",
+            public_key=RECAPTCHA_PUBLIC_KEY,
+            private_key=RECAPTCHA_PRIVATE_KEY,
+        )
+
+        self.stage.captcha_stage = captcha_stage
+        self.stage.save()
+
+        form_data = {
+            "uid_field": self.user.email,
+            "token": "FAILED",
+        }
+        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+        response = self.client.post(url, form_data)
+        self.assertStageResponse(
+            response,
+            self.flow,
+            component="ak-stage-identification",
+            password_fields=False,
+            primary_action="Log in",
+            response_errors={
+                "non_field_errors": [
+                    {"code": "invalid", "string": "Failed to validate token: Unknown error"}
+                ]
+            },
+            sources=[
+                {
+                    "challenge": {
+                        "component": "xak-flow-redirect",
+                        "to": "/source/oauth/login/test/",
+                    },
+                    "icon_url": "/static/authentik/sources/default.svg",
+                    "name": "test",
+                }
+            ],
+            show_source_labels=False,
+            user_fields=["email"],
+        )
+
     def test_invalid_with_username(self):
         """Test invalid with username (user exists but stage only allows email)"""
         form_data = {"uid_field": self.user.username}
diff --git a/blueprints/schema.json b/blueprints/schema.json
index 802ce9b268c0..3092f6addc9e 100644
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@@ -10131,6 +10131,11 @@
                     "title": "Password stage",
                     "description": "When set, shows a password field, instead of showing the password field as separate step."
                 },
+                "captcha_stage": {
+                    "type": "integer",
+                    "title": "Captcha stage",
+                    "description": "When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage."
+                },
                 "case_insensitive_matching": {
                     "type": "boolean",
                     "title": "Case insensitive matching",
diff --git a/schema.yml b/schema.yml
index f8b5472862b7..d01dacfd842f 100644
--- a/schema.yml
+++ b/schema.yml
@@ -32102,6 +32102,11 @@ paths:
       operationId: stages_identification_list
       description: IdentificationStage Viewset
       parameters:
+      - in: query
+        name: captcha_stage
+        schema:
+          type: string
+          format: uuid
       - in: query
         name: case_insensitive_matching
         schema:
@@ -40562,6 +40567,8 @@ components:
           type: string
         flow_designation:
           $ref: '#/components/schemas/FlowDesignationEnum'
+        captcha_stage:
+          $ref: '#/components/schemas/CaptchaChallenge'
         enroll_url:
           type: string
         recovery_url:
@@ -40596,6 +40603,9 @@ components:
         password:
           type: string
           nullable: true
+        token:
+          type: string
+          nullable: true
       required:
       - uid_field
     IdentificationStage:
@@ -40641,6 +40651,12 @@ components:
           nullable: true
           description: When set, shows a password field, instead of showing the password
             field as separate step.
+        captcha_stage:
+          type: string
+          format: uuid
+          nullable: true
+          description: When set, adds functionality exactly like a Captcha stage,
+            but baked into the Identification stage.
         case_insensitive_matching:
           type: boolean
           description: When enabled, user fields are matched regardless of their casing.
@@ -40709,6 +40725,12 @@ components:
           nullable: true
           description: When set, shows a password field, instead of showing the password
             field as separate step.
+        captcha_stage:
+          type: string
+          format: uuid
+          nullable: true
+          description: When set, adds functionality exactly like a Captcha stage,
+            but baked into the Identification stage.
         case_insensitive_matching:
           type: boolean
           description: When enabled, user fields are matched regardless of their casing.
@@ -45877,6 +45899,12 @@ components:
           nullable: true
           description: When set, shows a password field, instead of showing the password
             field as separate step.
+        captcha_stage:
+          type: string
+          format: uuid
+          nullable: true
+          description: When set, adds functionality exactly like a Captcha stage,
+            but baked into the Identification stage.
         case_insensitive_matching:
           type: boolean
           description: When enabled, user fields are matched regardless of their casing.
diff --git a/web/src/admin/stages/identification/IdentificationStageForm.ts b/web/src/admin/stages/identification/IdentificationStageForm.ts
index 9123fba71ad6..835b3d4803e8 100644
--- a/web/src/admin/stages/identification/IdentificationStageForm.ts
+++ b/web/src/admin/stages/identification/IdentificationStageForm.ts
@@ -21,6 +21,7 @@ import {
     SourcesApi,
     Stage,
     StagesApi,
+    StagesCaptchaListRequest,
     StagesPasswordListRequest,
     UserFieldsEnum,
 } from "@goauthentik/api";
@@ -161,6 +162,41 @@ export class IdentificationStageForm extends BaseStageForm<IdentificationStage>
                             )}
                         </p>
                     </ak-form-element-horizontal>
+                    <ak-form-element-horizontal label=${msg("Captcha stage")} name="captchaStage">
+                        <ak-search-select
+                            .fetchObjects=${async (query?: string): Promise<Stage[]> => {
+                                const args: StagesCaptchaListRequest = {
+                                    ordering: "name",
+                                };
+                                if (query !== undefined) {
+                                    args.search = query;
+                                }
+                                const stages = await new StagesApi(
+                                    DEFAULT_CONFIG,
+                                ).stagesCaptchaList(args);
+                                return stages.results;
+                            }}
+                            .groupBy=${(items: Stage[]) => {
+                                return groupBy(items, (stage) => stage.verboseNamePlural);
+                            }}
+                            .renderElement=${(stage: Stage): string => {
+                                return stage.name;
+                            }}
+                            .value=${(stage: Stage | undefined): string | undefined => {
+                                return stage?.pk;
+                            }}
+                            .selected=${(stage: Stage): boolean => {
+                                return stage.pk === this.instance?.captchaStage;
+                            }}
+                            ?blankable=${true}
+                        >
+                        </ak-search-select>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
                     <ak-form-element-horizontal name="caseInsensitiveMatching">
                         <label class="pf-c-switch">
                             <input
diff --git a/web/src/flow/stages/captcha/CaptchaStage.ts b/web/src/flow/stages/captcha/CaptchaStage.ts
index 55e5538d597e..5ea263d8013e 100644
--- a/web/src/flow/stages/captcha/CaptchaStage.ts
+++ b/web/src/flow/stages/captcha/CaptchaStage.ts
@@ -7,7 +7,7 @@ import type { TurnstileObject } from "turnstile-types";
 
 import { msg } from "@lit/localize";
 import { CSSResult, PropertyValues, TemplateResult, html } from "lit";
-import { customElement, state } from "lit/decorators.js";
+import { customElement, property, state } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
@@ -45,6 +45,16 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
     @state()
     scriptElement?: HTMLScriptElement;
 
+    @property({ type: Boolean })
+    embedded = false;
+
+    @property()
+    onTokenChange: (token: string) => void = (token) => {
+        this.host?.submit({
+            token: token,
+        });
+    };
+
     constructor() {
         super();
         this.captchaContainer = document.createElement("div");
@@ -102,11 +112,7 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
         grecaptcha.ready(() => {
             const captchaId = grecaptcha.render(this.captchaContainer, {
                 sitekey: this.challenge.siteKey,
-                callback: (token) => {
-                    this.host?.submit({
-                        token: token,
-                    });
-                },
+                callback: this.onTokenChange,
                 size: "invisible",
             });
             grecaptcha.execute(captchaId);
@@ -122,12 +128,8 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
         document.body.appendChild(this.captchaContainer);
         const captchaId = hcaptcha.render(this.captchaContainer, {
             sitekey: this.challenge.siteKey,
+            callback: this.onTokenChange,
             size: "invisible",
-            callback: (token) => {
-                this.host?.submit({
-                    token: token,
-                });
-            },
         });
         hcaptcha.execute(captchaId);
         return true;
@@ -141,11 +143,7 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
         document.body.appendChild(this.captchaContainer);
         (window as unknown as TurnstileWindow).turnstile.render(`#${captchaContainerID}`, {
             sitekey: this.challenge.siteKey,
-            callback: (token) => {
-                this.host?.submit({
-                    token: token,
-                });
-            },
+            callback: this.onTokenChange,
         });
         return true;
     }
@@ -157,10 +155,16 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
         if (this.captchaInteractive) {
             return html`${this.captchaContainer}`;
         }
+        if (this.embedded) {
+            return html``;
+        }
         return html`<ak-empty-state loading header=${msg("Verifying...")}></ak-empty-state>`;
     }
 
     render(): TemplateResult {
+        if (this.embedded) {
+            return this.renderBody();
+        }
         if (!this.challenge) {
             return html`<ak-empty-state loading> </ak-empty-state>`;
         }
diff --git a/web/src/flow/stages/identification/IdentificationStage.ts b/web/src/flow/stages/identification/IdentificationStage.ts
index d0afed5a27db..dcb87b96c8b8 100644
--- a/web/src/flow/stages/identification/IdentificationStage.ts
+++ b/web/src/flow/stages/identification/IdentificationStage.ts
@@ -4,10 +4,11 @@ import "@goauthentik/elements/EmptyState";
 import "@goauthentik/elements/forms/FormElement";
 import "@goauthentik/flow/components/ak-flow-password-input.js";
 import { BaseStage } from "@goauthentik/flow/stages/base";
+import "@goauthentik/flow/stages/captcha/CaptchaStage";
 
 import { msg, str } from "@lit/localize";
 import { CSSResult, PropertyValues, TemplateResult, css, html, nothing } from "lit";
-import { customElement } from "lit/decorators.js";
+import { customElement, state } from "lit/decorators.js";
 
 import PFAlert from "@patternfly/patternfly/components/Alert/alert.css";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
@@ -46,6 +47,9 @@ export class IdentificationStage extends BaseStage<
 > {
     form?: HTMLFormElement;
 
+    @state()
+    token = "";
+
     static get styles(): CSSResult[] {
         return [
             PFBase,
@@ -274,6 +278,18 @@ export class IdentificationStage extends BaseStage<
                   `
                 : nothing}
             ${this.renderNonFieldErrors()}
+            ${this.challenge.captchaStage
+                ? html`
+                      <input name="token" type="hidden" .value="${this.token}" />
+                      <ak-stage-captcha
+                          embedded
+                          .challenge=${this.challenge.captchaStage}
+                          .onTokenChange=${(token: string) => {
+                              this.token = token;
+                          }}
+                      ></ak-stage-captcha>
+                  `
+                : nothing}
             <div class="pf-c-form__group pf-m-action">
                 <button type="submit" class="pf-c-button pf-m-primary pf-m-block">
                     ${this.challenge.primaryAction}
diff --git a/website/docs/add-secure-apps/flows-stages/stages/identification/index.md b/website/docs/add-secure-apps/flows-stages/stages/identification/index.md
index 5bbe682782f3..42de51935ab4 100644
--- a/website/docs/add-secure-apps/flows-stages/stages/identification/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/identification/index.md
@@ -16,7 +16,11 @@ Select which fields the user can use to identify themselves. Multiple fields can
 
 ## Password stage
 
-To prompt users for their password on the same step as identifying themselves, a password stage can be selected here. If a password stage is selected in the Identification stage, the password stage should not be bound to the flow.
+To prompt users for their password on the same step as identifying themselves, a Password stage can be selected here. If a Password stage is selected in the Identification stage, the Password stage should not be bound to the flow.
+
+## Captcha stage
+
+To run a captcha in the background while the user is inputting their identification, a Captcha stage can be selected here. If a Captcha stage is selected in the Identification stage, the Captcha stage should not be bound to the flow.
 
 ## Enrollment/Recovery Flow
 

From 47f5a85cbde1eec53065b7586e6e7a80b1393bd6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simonyi=20Gerg=C5=91?= <gergo@goauthentik.io>
Date: Fri, 18 Oct 2024 09:52:53 +0200
Subject: [PATCH 02/14] simplify component invocations

---
 .../identification/IdentificationStageForm.ts | 40 +++++++------------
 1 file changed, 14 insertions(+), 26 deletions(-)

diff --git a/web/src/admin/stages/identification/IdentificationStageForm.ts b/web/src/admin/stages/identification/IdentificationStageForm.ts
index 835b3d4803e8..55e35da2da4b 100644
--- a/web/src/admin/stages/identification/IdentificationStageForm.ts
+++ b/web/src/admin/stages/identification/IdentificationStageForm.ts
@@ -141,19 +141,13 @@ export class IdentificationStageForm extends BaseStageForm<IdentificationStage>
                                 ).stagesPasswordList(args);
                                 return stages.results;
                             }}
-                            .groupBy=${(items: Stage[]) => {
-                                return groupBy(items, (stage) => stage.verboseNamePlural);
-                            }}
-                            .renderElement=${(stage: Stage): string => {
-                                return stage.name;
-                            }}
-                            .value=${(stage: Stage | undefined): string | undefined => {
-                                return stage?.pk;
-                            }}
-                            .selected=${(stage: Stage): boolean => {
-                                return stage.pk === this.instance?.passwordStage;
-                            }}
-                            ?blankable=${true}
+                            .groupBy=${(items: Stage[]) =>
+                                groupBy(items, (stage) => stage.verboseNamePlural)}
+                            .renderElement=${(stage: Stage): string => stage.name}
+                            .value=${(stage: Stage | undefined): string | undefined => stage?.pk}
+                            .selected=${(stage: Stage): boolean =>
+                                stage.pk === this.instance?.passwordStage}
+                            blankable
                         >
                         </ak-search-select>
                         <p class="pf-c-form__helper-text">
@@ -176,19 +170,13 @@ export class IdentificationStageForm extends BaseStageForm<IdentificationStage>
                                 ).stagesCaptchaList(args);
                                 return stages.results;
                             }}
-                            .groupBy=${(items: Stage[]) => {
-                                return groupBy(items, (stage) => stage.verboseNamePlural);
-                            }}
-                            .renderElement=${(stage: Stage): string => {
-                                return stage.name;
-                            }}
-                            .value=${(stage: Stage | undefined): string | undefined => {
-                                return stage?.pk;
-                            }}
-                            .selected=${(stage: Stage): boolean => {
-                                return stage.pk === this.instance?.captchaStage;
-                            }}
-                            ?blankable=${true}
+                            .groupBy=${(items: Stage[]) =>
+                                groupBy(items, (stage) => stage.verboseNamePlural)}
+                            .renderElement=${(stage: Stage): string => stage.name}
+                            .value=${(stage: Stage | undefined): string | undefined => stage?.pk}
+                            .selected=${(stage: Stage): boolean =>
+                                stage.pk === this.instance?.captchaStage}
+                            blankable
                         >
                         </ak-search-select>
                         <p class="pf-c-form__helper-text">

From c2230479a72db734906c91655d7153f866fe5c41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simonyi=20Gerg=C5=91?= <gergo@goauthentik.io>
Date: Fri, 18 Oct 2024 09:54:36 +0200
Subject: [PATCH 03/14] fail fast on `onTokenChange` default behavior

---
 web/src/flow/FlowExecutor.ts                | 2 ++
 web/src/flow/stages/captcha/CaptchaStage.ts | 7 +++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/web/src/flow/FlowExecutor.ts b/web/src/flow/FlowExecutor.ts
index 4dcf5c6f9bbe..021fe5d799c5 100644
--- a/web/src/flow/FlowExecutor.ts
+++ b/web/src/flow/FlowExecutor.ts
@@ -308,6 +308,8 @@ export class FlowExecutor extends Interface implements StageHost {
                 return html`<ak-stage-captcha
                     .host=${this as StageHost}
                     .challenge=${this.challenge}
+                    .onTokenChange=${(token: string) =>
+                        this.submit({ component: "ak-stage-captcha", token })}
                 ></ak-stage-captcha>`;
             case "ak-stage-consent":
                 await import("@goauthentik/flow/stages/consent/ConsentStage");
diff --git a/web/src/flow/stages/captcha/CaptchaStage.ts b/web/src/flow/stages/captcha/CaptchaStage.ts
index 5ea263d8013e..1c6c448e5fd3 100644
--- a/web/src/flow/stages/captcha/CaptchaStage.ts
+++ b/web/src/flow/stages/captcha/CaptchaStage.ts
@@ -22,6 +22,7 @@ import { CaptchaChallenge, CaptchaChallengeResponseRequest } from "@goauthentik/
 interface TurnstileWindow extends Window {
     turnstile: TurnstileObject;
 }
+type TokenHandler = (token: string) => void;
 
 const captchaContainerID = "captcha-container";
 
@@ -49,10 +50,8 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
     embedded = false;
 
     @property()
-    onTokenChange: (token: string) => void = (token) => {
-        this.host?.submit({
-            token: token,
-        });
+    onTokenChange: TokenHandler = (_token: string) => {
+        throw new Error("Client failed to supply a handling function to CaptchaStage");
     };
 
     constructor() {

From e523618c4401ae5fe3b4edb3dfece2ad17c14193 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simonyi=20Gerg=C5=91?= <gergo@goauthentik.io>
Date: Fri, 18 Oct 2024 09:54:53 +0200
Subject: [PATCH 04/14] reword docs

---
 .../add-secure-apps/flows-stages/stages/identification/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/docs/add-secure-apps/flows-stages/stages/identification/index.md b/website/docs/add-secure-apps/flows-stages/stages/identification/index.md
index 42de51935ab4..fff9e4939b70 100644
--- a/website/docs/add-secure-apps/flows-stages/stages/identification/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/identification/index.md
@@ -20,7 +20,7 @@ To prompt users for their password on the same step as identifying themselves, a
 
 ## Captcha stage
 
-To run a captcha in the background while the user is inputting their identification, a Captcha stage can be selected here. If a Captcha stage is selected in the Identification stage, the Captcha stage should not be bound to the flow.
+To run a captcha in the background while the user is entering their identification, a Captcha stage can be selected here. If a Captcha stage is selected in the Identification stage, the Captcha stage should not be bound to the flow.
 
 ## Enrollment/Recovery Flow
 

From 069e63d6503d8bd0a5461da128eea56b7817445e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simonyi=20Gerg=C5=91?= <gergo@goauthentik.io>
Date: Fri, 18 Oct 2024 16:13:55 +0200
Subject: [PATCH 05/14] rename `token` to `captcha_token` in Identification
 stage contexts

(In Captcha stage contexts the name `token` seems well-scoped.)
---
 authentik/stages/identification/stage.py                  | 8 ++++----
 authentik/stages/identification/tests.py                  | 4 ++--
 schema.yml                                                | 2 +-
 web/src/flow/stages/identification/IdentificationStage.ts | 6 +++---
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/authentik/stages/identification/stage.py b/authentik/stages/identification/stage.py
index 50fbc16238e8..1d2dfe8cab4f 100644
--- a/authentik/stages/identification/stage.py
+++ b/authentik/stages/identification/stage.py
@@ -93,7 +93,7 @@ class IdentificationChallengeResponse(ChallengeResponse):
 
     uid_field = CharField()
     password = CharField(required=False, allow_blank=True, allow_null=True)
-    token = CharField(required=False, allow_blank=True, allow_null=True)
+    captcha_token = CharField(required=False, allow_blank=True, allow_null=True)
     component = CharField(default="ak-stage-identification")
 
     pre_user: User | None = None
@@ -143,10 +143,10 @@ def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
 
         # Captcha check
         if captcha_stage := current_stage.captcha_stage:
-            token = attrs.get("token", None)
-            if not token:
+            captcha_token = attrs.get("captcha_token", None)
+            if not captcha_token:
                 self.stage.logger.warning("Token not set for captcha attempt")
-            verify_captcha_token(captcha_stage, token, client_ip)
+            verify_captcha_token(captcha_stage, captcha_token, client_ip)
 
         # Password check
         if not current_stage.password_stage:
diff --git a/authentik/stages/identification/tests.py b/authentik/stages/identification/tests.py
index 6f905feb4f3e..5294de88c8f7 100644
--- a/authentik/stages/identification/tests.py
+++ b/authentik/stages/identification/tests.py
@@ -155,7 +155,7 @@ def test_valid_with_captcha(self, mock: Mocker):
         self.stage.captcha_stage = captcha_stage
         self.stage.save()
 
-        form_data = {"uid_field": self.user.email, "token": "PASSED"}
+        form_data = {"uid_field": self.user.email, "captcha_token": "PASSED"}
         url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         response = self.client.post(url, form_data)
         self.assertEqual(response.status_code, 200)
@@ -183,7 +183,7 @@ def test_invalid_with_captcha(self, mock: Mocker):
 
         form_data = {
             "uid_field": self.user.email,
-            "token": "FAILED",
+            "captcha_token": "FAILED",
         }
         url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         response = self.client.post(url, form_data)
diff --git a/schema.yml b/schema.yml
index d01dacfd842f..976379f77e08 100644
--- a/schema.yml
+++ b/schema.yml
@@ -40603,7 +40603,7 @@ components:
         password:
           type: string
           nullable: true
-        token:
+        captcha_token:
           type: string
           nullable: true
       required:
diff --git a/web/src/flow/stages/identification/IdentificationStage.ts b/web/src/flow/stages/identification/IdentificationStage.ts
index dcb87b96c8b8..e84eb6180e95 100644
--- a/web/src/flow/stages/identification/IdentificationStage.ts
+++ b/web/src/flow/stages/identification/IdentificationStage.ts
@@ -48,7 +48,7 @@ export class IdentificationStage extends BaseStage<
     form?: HTMLFormElement;
 
     @state()
-    token = "";
+    captchaToken = "";
 
     static get styles(): CSSResult[] {
         return [
@@ -280,12 +280,12 @@ export class IdentificationStage extends BaseStage<
             ${this.renderNonFieldErrors()}
             ${this.challenge.captchaStage
                 ? html`
-                      <input name="token" type="hidden" .value="${this.token}" />
+                      <input name="captchaToken" type="hidden" .value="${this.captchaToken}" />
                       <ak-stage-captcha
                           embedded
                           .challenge=${this.challenge.captchaStage}
                           .onTokenChange=${(token: string) => {
-                              this.token = token;
+                              this.captchaToken = token;
                           }}
                       ></ak-stage-captcha>
                   `

From e21c5ec7f407d63c36616aee7b9412d53eafe21d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simonyi=20Gerg=C5=91?= <gergo@goauthentik.io>
Date: Fri, 18 Oct 2024 17:13:24 +0200
Subject: [PATCH 06/14] use `nothing` instead of ``` html`` ```

---
 web/src/flow/stages/captcha/CaptchaStage.ts | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/web/src/flow/stages/captcha/CaptchaStage.ts b/web/src/flow/stages/captcha/CaptchaStage.ts
index 1c6c448e5fd3..ae3d9ad1398a 100644
--- a/web/src/flow/stages/captcha/CaptchaStage.ts
+++ b/web/src/flow/stages/captcha/CaptchaStage.ts
@@ -6,7 +6,7 @@ import { BaseStage } from "@goauthentik/flow/stages/base";
 import type { TurnstileObject } from "turnstile-types";
 
 import { msg } from "@lit/localize";
-import { CSSResult, PropertyValues, TemplateResult, html } from "lit";
+import { CSSResult, PropertyValues, html, nothing } from "lit";
 import { customElement, property, state } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 
@@ -147,7 +147,7 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
         return true;
     }
 
-    renderBody(): TemplateResult {
+    renderBody() {
         if (this.error) {
             return html`<ak-empty-state icon="fa-times" header=${this.error}> </ak-empty-state>`;
         }
@@ -155,12 +155,12 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
             return html`${this.captchaContainer}`;
         }
         if (this.embedded) {
-            return html``;
+            return nothing;
         }
         return html`<ak-empty-state loading header=${msg("Verifying...")}></ak-empty-state>`;
     }
 
-    render(): TemplateResult {
+    render() {
         if (this.embedded) {
             return this.renderBody();
         }

From ef0604f6035e072b35b2b61ef2396b12e577885b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simonyi=20Gerg=C5=91?= <gergo@goauthentik.io>
Date: Tue, 22 Oct 2024 16:58:44 +0200
Subject: [PATCH 07/14] remove rendered Captcha component from document flow on
 Identification stages

Note: this doesn't remove the captcha itself, if interactive, only the loading
indicator.
---
 web/src/flow/stages/captcha/CaptchaStage.ts           | 11 +----------
 .../flow/stages/identification/IdentificationStage.ts |  2 +-
 2 files changed, 2 insertions(+), 11 deletions(-)

diff --git a/web/src/flow/stages/captcha/CaptchaStage.ts b/web/src/flow/stages/captcha/CaptchaStage.ts
index ae3d9ad1398a..c2df58a5cc21 100644
--- a/web/src/flow/stages/captcha/CaptchaStage.ts
+++ b/web/src/flow/stages/captcha/CaptchaStage.ts
@@ -6,7 +6,7 @@ import { BaseStage } from "@goauthentik/flow/stages/base";
 import type { TurnstileObject } from "turnstile-types";
 
 import { msg } from "@lit/localize";
-import { CSSResult, PropertyValues, html, nothing } from "lit";
+import { CSSResult, PropertyValues, html } from "lit";
 import { customElement, property, state } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 
@@ -46,9 +46,6 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
     @state()
     scriptElement?: HTMLScriptElement;
 
-    @property({ type: Boolean })
-    embedded = false;
-
     @property()
     onTokenChange: TokenHandler = (_token: string) => {
         throw new Error("Client failed to supply a handling function to CaptchaStage");
@@ -154,16 +151,10 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
         if (this.captchaInteractive) {
             return html`${this.captchaContainer}`;
         }
-        if (this.embedded) {
-            return nothing;
-        }
         return html`<ak-empty-state loading header=${msg("Verifying...")}></ak-empty-state>`;
     }
 
     render() {
-        if (this.embedded) {
-            return this.renderBody();
-        }
         if (!this.challenge) {
             return html`<ak-empty-state loading> </ak-empty-state>`;
         }
diff --git a/web/src/flow/stages/identification/IdentificationStage.ts b/web/src/flow/stages/identification/IdentificationStage.ts
index e84eb6180e95..0983928eaad3 100644
--- a/web/src/flow/stages/identification/IdentificationStage.ts
+++ b/web/src/flow/stages/identification/IdentificationStage.ts
@@ -282,7 +282,7 @@ export class IdentificationStage extends BaseStage<
                 ? html`
                       <input name="captchaToken" type="hidden" .value="${this.captchaToken}" />
                       <ak-stage-captcha
-                          embedded
+                          style="visibility: hidden; position:absolute;"
                           .challenge=${this.challenge.captchaStage}
                           .onTokenChange=${(token: string) => {
                               this.captchaToken = token;

From 78dca3a0bdc46384c12f9b55f1e8a870d2a0bed9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simonyi=20Gerg=C5=91?= <gergo@goauthentik.io>
Date: Tue, 22 Oct 2024 17:06:27 +0200
Subject: [PATCH 08/14] add invisible requirement to captcha on Identification
 stage

---
 .../flows-stages/stages/identification/index.md               | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/website/docs/add-secure-apps/flows-stages/stages/identification/index.md b/website/docs/add-secure-apps/flows-stages/stages/identification/index.md
index fff9e4939b70..b5de5de150f2 100644
--- a/website/docs/add-secure-apps/flows-stages/stages/identification/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/identification/index.md
@@ -20,6 +20,10 @@ To prompt users for their password on the same step as identifying themselves, a
 
 ## Captcha stage
 
+:::warning
+The Captcha stage you use must be configured to use the "Invisible" mode, otherwise the widget will be rendered incorrectly.
+:::
+
 To run a captcha in the background while the user is entering their identification, a Captcha stage can be selected here. If a Captcha stage is selected in the Identification stage, the Captcha stage should not be bound to the flow.
 
 ## Enrollment/Recovery Flow

From 1a0ef469ec8f7cbba0c80c02e3aa578b0b61abb9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simonyi=20Gerg=C5=91?= <gergo@goauthentik.io>
Date: Tue, 22 Oct 2024 17:08:29 +0200
Subject: [PATCH 09/14] stylize docs

---
 .../flows-stages/stages/identification/index.md             | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/website/docs/add-secure-apps/flows-stages/stages/identification/index.md b/website/docs/add-secure-apps/flows-stages/stages/identification/index.md
index b5de5de150f2..d759cbbcbae3 100644
--- a/website/docs/add-secure-apps/flows-stages/stages/identification/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/identification/index.md
@@ -18,13 +18,13 @@ Select which fields the user can use to identify themselves. Multiple fields can
 
 To prompt users for their password on the same step as identifying themselves, a Password stage can be selected here. If a Password stage is selected in the Identification stage, the Password stage should not be bound to the flow.
 
-## Captcha stage
+## CAPTCHA stage
 
 :::warning
-The Captcha stage you use must be configured to use the "Invisible" mode, otherwise the widget will be rendered incorrectly.
+The CAPTCHA stage you use must be configured to use the "Invisible" mode, otherwise the widget will be rendered incorrectly.
 :::
 
-To run a captcha in the background while the user is entering their identification, a Captcha stage can be selected here. If a Captcha stage is selected in the Identification stage, the Captcha stage should not be bound to the flow.
+To run a CAPTCHA process in the background while the user is entering their identification, a CAPTCHA stage can be selected here. If a CAPTCHA stage is selected in the Identification stage, the CAPTCHA stage should not be bound to the flow.
 
 ## Enrollment/Recovery Flow
 

From 23279310cd925d5b1c5ca265b496ca4823247932 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simonyi=20Gerg=C5=91?= <gergo@goauthentik.io>
Date: Tue, 22 Oct 2024 17:55:13 +0200
Subject: [PATCH 10/14] add friendlier error messages to Captcha stage

---
 authentik/stages/captcha/stage.py | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/authentik/stages/captcha/stage.py b/authentik/stages/captcha/stage.py
index 8b9018de229a..d3edc0d7f659 100644
--- a/authentik/stages/captcha/stage.py
+++ b/authentik/stages/captcha/stage.py
@@ -1,7 +1,7 @@
 """authentik captcha stage"""
 
 from django.http.response import HttpResponse
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import gettext as _
 from requests import RequestException
 from rest_framework.fields import CharField
 from rest_framework.serializers import ValidationError
@@ -27,6 +27,22 @@ class CaptchaChallenge(WithUserInfoChallenge):
     component = CharField(default="ak-stage-captcha")
 
 
+def get_friendly_captcha_error(error: str) -> str:
+    match error:
+        case "missing-input-secret":
+            return _("Secret was not provided. This is likely a misconfiguration error.")
+        case "invalid-input-secret":
+            return _("Secret was invalid. This is likely a misconfiguration error.")
+        case "missing-input-response":
+            return _("Client response was not provided. Try again.")
+        case "invalid-input-response":
+            return _("Client response was invalid. Try again.")
+        case "timeout-or-duplicate":
+            return _("Client response has timed out or was already used. Try again.")
+
+    return _("Unknown error")
+
+
 def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str):
     """Validate captcha token"""
     try:
@@ -45,10 +61,11 @@ def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str):
         data = response.json()
         if stage.error_on_invalid_score:
             if not data.get("success", False):
+                error_codes = data.get("error-codes")
                 raise ValidationError(
                     _(
-                        "Failed to validate token: {error}".format(
-                            error=data.get("error-codes", _("Unknown error"))
+                        "Invalid captcha response: {error}".format(
+                            error="".join(map(get_friendly_captcha_error, error_codes))
                         )
                     )
                 )

From f58c7407c24b6d3efaee2cdedf6e190fcfb68762 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simonyi=20Gerg=C5=91?= <gergo@goauthentik.io>
Date: Tue, 22 Oct 2024 18:29:07 +0200
Subject: [PATCH 11/14] fix tests

---
 authentik/stages/captcha/stage.py        | 2 +-
 authentik/stages/identification/tests.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/authentik/stages/captcha/stage.py b/authentik/stages/captcha/stage.py
index d3edc0d7f659..05949652f708 100644
--- a/authentik/stages/captcha/stage.py
+++ b/authentik/stages/captcha/stage.py
@@ -61,7 +61,7 @@ def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str):
         data = response.json()
         if stage.error_on_invalid_score:
             if not data.get("success", False):
-                error_codes = data.get("error-codes")
+                error_codes = data.get("error-codes", ["Unknown error"])
                 raise ValidationError(
                     _(
                         "Invalid captcha response: {error}".format(
diff --git a/authentik/stages/identification/tests.py b/authentik/stages/identification/tests.py
index 5294de88c8f7..5fdbcac48885 100644
--- a/authentik/stages/identification/tests.py
+++ b/authentik/stages/identification/tests.py
@@ -195,7 +195,7 @@ def test_invalid_with_captcha(self, mock: Mocker):
             primary_action="Log in",
             response_errors={
                 "non_field_errors": [
-                    {"code": "invalid", "string": "Failed to validate token: Unknown error"}
+                    {"code": "invalid", "string": "Invalid captcha response: Unknown error"}
                 ]
             },
             sources=[

From 51055c1f1d2bb6e351db4d970fc1645184a00549 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simonyi=20Gerg=C5=91?= <gergo@goauthentik.io>
Date: Wed, 23 Oct 2024 10:23:40 +0200
Subject: [PATCH 12/14] make captcha error messages even friendlier

---
 authentik/stages/captcha/stage.py        | 46 ++++++++++++------------
 authentik/stages/identification/tests.py |  4 +--
 2 files changed, 23 insertions(+), 27 deletions(-)

diff --git a/authentik/stages/captcha/stage.py b/authentik/stages/captcha/stage.py
index 05949652f708..73bcff5dec15 100644
--- a/authentik/stages/captcha/stage.py
+++ b/authentik/stages/captcha/stage.py
@@ -5,6 +5,7 @@
 from requests import RequestException
 from rest_framework.fields import CharField
 from rest_framework.serializers import ValidationError
+from structlog.stdlib import get_logger
 
 from authentik.flows.challenge import (
     Challenge,
@@ -16,6 +17,7 @@
 from authentik.root.middleware import ClientIPMiddleware
 from authentik.stages.captcha.models import CaptchaStage
 
+LOGGER = get_logger()
 PLAN_CONTEXT_CAPTCHA = "captcha"
 
 
@@ -27,22 +29,6 @@ class CaptchaChallenge(WithUserInfoChallenge):
     component = CharField(default="ak-stage-captcha")
 
 
-def get_friendly_captcha_error(error: str) -> str:
-    match error:
-        case "missing-input-secret":
-            return _("Secret was not provided. This is likely a misconfiguration error.")
-        case "invalid-input-secret":
-            return _("Secret was invalid. This is likely a misconfiguration error.")
-        case "missing-input-response":
-            return _("Client response was not provided. Try again.")
-        case "invalid-input-response":
-            return _("Client response was invalid. Try again.")
-        case "timeout-or-duplicate":
-            return _("Client response has timed out or was already used. Try again.")
-
-    return _("Unknown error")
-
-
 def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str):
     """Validate captcha token"""
     try:
@@ -61,14 +47,26 @@ def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str):
         data = response.json()
         if stage.error_on_invalid_score:
             if not data.get("success", False):
-                error_codes = data.get("error-codes", ["Unknown error"])
-                raise ValidationError(
-                    _(
-                        "Invalid captcha response: {error}".format(
-                            error="".join(map(get_friendly_captcha_error, error_codes))
-                        )
-                    )
-                )
+                error_codes = data.get("error-codes", ["unknown-error"])
+                LOGGER.warning("Failed to verify captcha token", error_codes=error_codes)
+
+                # These cases can usually be fixed by simply requesting a new token and retrying.
+                # [reCAPTCHA](https://developers.google.com/recaptcha/docs/verify#error_code_reference)
+                # [hCaptcha](https://docs.hcaptcha.com/#siteverify-error-codes-table)
+                # [Turnstile](https://developers.cloudflare.com/turnstile/get-started/server-side-validation/#error-codes)
+                retriable_error_codes = [
+                    "missing-input-response",
+                    "invalid-input-response",
+                    "timeout-or-duplicate",
+                    "expired-input-response",
+                    "already-seen-response",
+                ]
+
+                if set(error_codes).issubset(set(retriable_error_codes)):
+                    error_message = _("Invalid captcha response. Retrying may solve this issue.")
+                else:
+                    error_message = _("Invalid captcha response")
+                raise ValidationError(error_message)
             if "score" in data:
                 score = float(data.get("score"))
                 if stage.score_max_threshold > -1 and score > stage.score_max_threshold:
diff --git a/authentik/stages/identification/tests.py b/authentik/stages/identification/tests.py
index 5fdbcac48885..a5244fd3cc5b 100644
--- a/authentik/stages/identification/tests.py
+++ b/authentik/stages/identification/tests.py
@@ -194,9 +194,7 @@ def test_invalid_with_captcha(self, mock: Mocker):
             password_fields=False,
             primary_action="Log in",
             response_errors={
-                "non_field_errors": [
-                    {"code": "invalid", "string": "Invalid captcha response: Unknown error"}
-                ]
+                "non_field_errors": [{"code": "invalid", "string": "Invalid captcha response"}]
             },
             sources=[
                 {

From a4503247741bfee100471908fae9f9415a134a93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simonyi=20Gerg=C5=91?= <gergo@goauthentik.io>
Date: Wed, 23 Oct 2024 10:33:09 +0200
Subject: [PATCH 13/14] add test case to retriable captcha

---
 authentik/stages/identification/tests.py | 55 ++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/authentik/stages/identification/tests.py b/authentik/stages/identification/tests.py
index a5244fd3cc5b..c39434e24af4 100644
--- a/authentik/stages/identification/tests.py
+++ b/authentik/stages/identification/tests.py
@@ -210,6 +210,61 @@ def test_invalid_with_captcha(self, mock: Mocker):
             user_fields=["email"],
         )
 
+    @Mocker()
+    def test_invalid_with_captcha_retriable(self, mock: Mocker):
+        """Test with valid email and invalid captcha token in single step"""
+        mock.post(
+            "https://www.recaptcha.net/recaptcha/api/siteverify",
+            json={
+                "success": False,
+                "score": 0.5,
+                "error-codes": ["timeout-or-duplicate"],
+            },
+        )
+
+        captcha_stage = CaptchaStage.objects.create(
+            name="captcha",
+            public_key=RECAPTCHA_PUBLIC_KEY,
+            private_key=RECAPTCHA_PRIVATE_KEY,
+        )
+
+        self.stage.captcha_stage = captcha_stage
+        self.stage.save()
+
+        form_data = {
+            "uid_field": self.user.email,
+            "captcha_token": "FAILED",
+        }
+        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+        response = self.client.post(url, form_data)
+        self.assertStageResponse(
+            response,
+            self.flow,
+            component="ak-stage-identification",
+            password_fields=False,
+            primary_action="Log in",
+            response_errors={
+                "non_field_errors": [
+                    {
+                        "code": "invalid",
+                        "string": "Invalid captcha response. Retrying may solve this issue.",
+                    }
+                ]
+            },
+            sources=[
+                {
+                    "challenge": {
+                        "component": "xak-flow-redirect",
+                        "to": "/source/oauth/login/test/",
+                    },
+                    "icon_url": "/static/authentik/sources/default.svg",
+                    "name": "test",
+                }
+            ],
+            show_source_labels=False,
+            user_fields=["email"],
+        )
+
     def test_invalid_with_username(self):
         """Test invalid with username (user exists but stage only allows email)"""
         form_data = {"uid_field": self.user.username}

From bf2ae13c52de89306b7babc609b99aa2068ddea2 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Thu, 24 Oct 2024 16:03:21 +0200
Subject: [PATCH 14/14] use default

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 web/src/flow/FlowExecutor.ts                | 2 --
 web/src/flow/stages/captcha/CaptchaStage.ts | 4 ++--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/web/src/flow/FlowExecutor.ts b/web/src/flow/FlowExecutor.ts
index 021fe5d799c5..4dcf5c6f9bbe 100644
--- a/web/src/flow/FlowExecutor.ts
+++ b/web/src/flow/FlowExecutor.ts
@@ -308,8 +308,6 @@ export class FlowExecutor extends Interface implements StageHost {
                 return html`<ak-stage-captcha
                     .host=${this as StageHost}
                     .challenge=${this.challenge}
-                    .onTokenChange=${(token: string) =>
-                        this.submit({ component: "ak-stage-captcha", token })}
                 ></ak-stage-captcha>`;
             case "ak-stage-consent":
                 await import("@goauthentik/flow/stages/consent/ConsentStage");
diff --git a/web/src/flow/stages/captcha/CaptchaStage.ts b/web/src/flow/stages/captcha/CaptchaStage.ts
index c2df58a5cc21..af37ab383c64 100644
--- a/web/src/flow/stages/captcha/CaptchaStage.ts
+++ b/web/src/flow/stages/captcha/CaptchaStage.ts
@@ -47,8 +47,8 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
     scriptElement?: HTMLScriptElement;
 
     @property()
-    onTokenChange: TokenHandler = (_token: string) => {
-        throw new Error("Client failed to supply a handling function to CaptchaStage");
+    onTokenChange: TokenHandler = (token: string) => {
+        this.host.submit({ component: "ak-stage-captcha", token });
     };
 
     constructor() {