Cloud Armor + Recaptcha with domain validation

Am trying to configure Recaptcha enterprise with WAF using cloud armor (with action tokens), but I have a problem, the cloud armor rule that validates the token/score never gets triggered if the domain validation is enabled on the recaptcha key. I have a very simple cloud armor policy:

And the recaptcha key looks like a normal key with the WAF enabled:

To get the token I just have a simple localhost site that just run the enterprise sdk and sends the token in the X-Recaptcha-Token header.

My problem is that, when the Disable domain verification is off, the cloud armor rules are never triggered (and for the LB logs it seems that the token does not even appear), so it only triggers the deny-all rule. But as soon as I enable the Disable domain verification then the rules are correctly triggered and the logs shows the score of the token.

Someone knows what could be happening?.

Some more info about my setup, the WAF is protecting an API thats running on Cloud Run (which is configured as a backend service inside the load balancer).

I also create an issue tracker here

As mentioned by Siegfred (thank you very much!), this is a missing feature on the integration between recaptcha enterprise and cloud armor and currently the only way to integrate them is by disabling the domain verification in the recaptcha enterprise panel.

As he mentioned this is a feature that should be developed (and its currently on internal discussions), hopefully they'll release it on the near future. Also its worth mention, that there should be a revisit on the documentation to avoid any misunderstanding, as this behavior is not mentioned explicitly.

There is still the issue I created on googles issue tracker here. So you can check from time to time to see if there is any news.