Google Sign in usage: Difference between revisions

From VoIPmonitor.org
(Rewrite: konsolidace a vylepšení struktury - kompaktnější formát s tabulkami)
 
(9 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{DISPLAYTITLE:How to Set Up Google Sign-In (OAuth)}}
'''Enable users to log into VoIPmonitor GUI using their Google accounts via OAuth 2.0.'''
== Overview ==
Google Sign-In maps a user's Google email to a VoIPmonitor profile to assign permissions. The matching logic:
# '''Direct Email Match:''' Username matches the Google email exactly.
# '''Secure Users List:''' Email found in "Gmail emails" field under user's "Secure users" tab.
# '''Default Fallback:''' User marked as "Default Google Sign-In email" receives all unmatched logins.
<kroki lang="mermaid">
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 40}}}%%
flowchart TD
    A[User clicks Google Sign-In] --> B[Google OAuth]
    B --> C{Direct Email Match?}
    C -->|Yes| D[Use matched user]
    C -->|No| E{In Secure Users list?}
    E -->|Yes| F[Use that profile]
    E -->|No| G{Default user exists?}
    G -->|Yes| H[Use default user]
    G -->|No| I[Login denied]
</kroki>
== Configuration ==
== Configuration ==


* it's disabled by default
=== Step 1: Create Google OAuth Credentials ===
 
# Go to [https://console.cloud.google.com/apis/credentials Google Cloud Console > APIs & Credentials]
# Click '''+ CREATE CREDENTIALS''' → '''OAuth client ID'''
# Configure:
#* '''Application type:''' Web application
#* '''Name:''' e.g., "VoIPmonitor GUI Login"
#* '''Authorized JavaScript origins:''' Your GUI URL (e.g., <code>https://voipmonitor.example.com</code>)
#* '''Authorized redirect URIs:''' Same as above (optional but recommended)
# Copy the generated '''Client ID'''


* you can enable it in the 'Settings->System configuration->Enable Google Sign in' with Voipmonitor's OAuth2.0 client ID as a default.
{{Warning|1=The '''Authorized JavaScript origins''' URL must exactly match your GUI URL, including <code>https://</code>. This is the most common cause of login failures.}}


* the client ID can be changed in the 'Settings->System configuration->Google client ID for Google Sign in'
=== Step 2: Configure VoIPmonitor GUI ===


* the G button can be disabled in the 'Settings->System configuration->Don't display Google Sign in button'
Navigate to '''Settings System Configuration → Authentication''':


* the Google account's email is used as a key in GUI's user list. So you need to create users in the GUI with the appropriate email and to use the 'Google Sign in' as an authorization engine. The user's permissions are used from the GUI's user setting.
{| class="wikitable"
! Option !! Value !! Description
|-
| Enable Google Sign in || Yes || Activates the feature
|-
| Google client ID || ''your-client-id'' || From Google Cloud Console
|-
| Don't display local login form || Yes/No || Hides username/password form (optional)
|-
| Don't display Google Sign in button || Yes/No || Temporarily hides Google button (optional)
|}


* From the GUI 25.3 is possible to add one or more Google emails into Users -> 'secure users' tab -> Gmail emails. If Google email (returned from auth) is found in this entry then permissions of this user are used.
=== Step 3: Map Users ===


* Next is possible to set one user account as 'Default Google Sign email'. If set then all non-matched Google email will use these account's permissions.
Ensure users exist in '''Settings → Users''' with one of:
* Username matching Google email exactly
* Google email added to user's '''Secure users''' tab → "Gmail emails" field
* One user designated as '''Default Google Sign-In email''' (Basic data tab)


== Usage ==
== Troubleshooting ==


* click on the G button an do auth
{| class="wikitable"
! Problem !! Cause !! Solution
|-
| '''Blank window after clicking Sign-In''' || Incorrect "Authorized JavaScript origins" in Google Console || Verify URL matches exactly, including <code>https://</code>
|-
| '''Unable to log in or set password''' || Account configuration issues (common with Cloud Trial) || Create a new user account instead
|-
| '''SSO fails behind reverse proxy''' (AWS ALB, Nginx) || Proxy terminates SSL, GUI sees HTTP || Add header: <code>proxy_set_header X-Forwarded-Proto $scheme;</code>
|-
| '''Redirect loops''' || Missing protocol header behind proxy || See [[Nginx]] for complete proxy configuration
|}


== Own credential (the fast way how to create own credential) ==
== Advanced: Custom Login Scripts ==


* Your own credentials will you create via https://console.developers.google.com (It supposes you can use the developer console)
Google Sign-In works with custom login scripts:
* VoIPmonitor passes the authenticated email to your script
* Script must return JSON per [[WEB_API#Custom_Login|Custom Login API]]
* GUI-defined users take precedence over script-authenticated users


* API & Service -> credential -> create new credential -> type 'OAuth client ID' -> web application: here you get your client_id which you enter into the GUI.
== See Also ==


* Edit this new credential: Restriction -> Authorized JavaScript origins : set allowed URLs  (now allowed only https:// URLs !!!)
* [[Microsoft_Sign_in_usage]] - Microsoft Entra ID / Azure AD integration
* [[2FA]] - Two-factor authentication
* [[WEB_API#Custom_Login]] - Custom login scripts (LDAP, etc.)
* [[User_Management]] - User account management


* Return to the API -> credentials -> OAuth consent screen : set 'Application type' and 'Authorized domains' (not needed in latest Google console settings)
== AI Summary for RAG ==


'''Summary:''' Guide for integrating Google Sign-In (OAuth 2.0) with VoIPmonitor GUI. User mapping uses three methods: (1) direct email match, (2) "Secure users" Gmail list, (3) default fallback user. Configuration requires creating OAuth client ID in Google Cloud Console with correct "Authorized JavaScript origins" URL (must match exactly including https://), then enabling in GUI under Settings → System Configuration → Authentication. Common issues: blank window (URL mismatch), SSO failures behind reverse proxy (add X-Forwarded-Proto header).


That's all. After that logout from all your services logged with google account a re-login.
'''Keywords:''' google sign-in, oauth, oauth2, login, authentication, sso, single sign-on, client id, google cloud console, authorized javascript origins, user mapping, secure users, default fallback user, gmail, reverse proxy, X-Forwarded-Proto, AWS ALB, redirect loop, nginx proxy


(Of course don't forget to enable the GAuth in the GUI).
'''Key Questions:'''
* How do I enable Google Sign-In for VoIPmonitor GUI?
* How do I create an OAuth client ID in Google Cloud Console?
* Where do I configure the Google Client ID in VoIPmonitor?
* Why do I see a blank window after clicking "Sign in with Google"?
* How does VoIPmonitor map a Google email to a user profile?
* What are the three methods for mapping Google users to VoIPmonitor profiles?
* Can I use Google Sign-In with a custom login script?
* What is the "Authorized JavaScript origins" setting and why is it important?
* Why does Google Sign-In fail behind a reverse proxy or AWS ALB?
* How do I fix redirect loops with Google Sign-In behind Nginx?


== Problems solving ==
[[Category:Authentication]]
* If a blank window opens instead of a GUI login
[[Category:Configuration]]
(take care on settings of "Authorised JavaScript origins" field in GCloud)
[[Category:GUI]]

Latest revision as of 16:47, 8 January 2026


Enable users to log into VoIPmonitor GUI using their Google accounts via OAuth 2.0.

Overview

Google Sign-In maps a user's Google email to a VoIPmonitor profile to assign permissions. The matching logic:

  1. Direct Email Match: Username matches the Google email exactly.
  2. Secure Users List: Email found in "Gmail emails" field under user's "Secure users" tab.
  3. Default Fallback: User marked as "Default Google Sign-In email" receives all unmatched logins.

Configuration

Step 1: Create Google OAuth Credentials

  1. Go to Google Cloud Console > APIs & Credentials
  2. Click + CREATE CREDENTIALSOAuth client ID
  3. Configure:
    • Application type: Web application
    • Name: e.g., "VoIPmonitor GUI Login"
    • Authorized JavaScript origins: Your GUI URL (e.g., https://voipmonitor.example.com)
    • Authorized redirect URIs: Same as above (optional but recommended)
  4. Copy the generated Client ID

⚠️ Warning: The Authorized JavaScript origins URL must exactly match your GUI URL, including https://. This is the most common cause of login failures.

Step 2: Configure VoIPmonitor GUI

Navigate to Settings → System Configuration → Authentication:

Option Value Description
Enable Google Sign in Yes Activates the feature
Google client ID your-client-id From Google Cloud Console
Don't display local login form Yes/No Hides username/password form (optional)
Don't display Google Sign in button Yes/No Temporarily hides Google button (optional)

Step 3: Map Users

Ensure users exist in Settings → Users with one of:

  • Username matching Google email exactly
  • Google email added to user's Secure users tab → "Gmail emails" field
  • One user designated as Default Google Sign-In email (Basic data tab)

Troubleshooting

Problem Cause Solution
Blank window after clicking Sign-In Incorrect "Authorized JavaScript origins" in Google Console Verify URL matches exactly, including https://
Unable to log in or set password Account configuration issues (common with Cloud Trial) Create a new user account instead
SSO fails behind reverse proxy (AWS ALB, Nginx) Proxy terminates SSL, GUI sees HTTP Add header: proxy_set_header X-Forwarded-Proto $scheme;
Redirect loops Missing protocol header behind proxy See Nginx for complete proxy configuration

Advanced: Custom Login Scripts

Google Sign-In works with custom login scripts:

  • VoIPmonitor passes the authenticated email to your script
  • Script must return JSON per Custom Login API
  • GUI-defined users take precedence over script-authenticated users

See Also

AI Summary for RAG

Summary: Guide for integrating Google Sign-In (OAuth 2.0) with VoIPmonitor GUI. User mapping uses three methods: (1) direct email match, (2) "Secure users" Gmail list, (3) default fallback user. Configuration requires creating OAuth client ID in Google Cloud Console with correct "Authorized JavaScript origins" URL (must match exactly including https://), then enabling in GUI under Settings → System Configuration → Authentication. Common issues: blank window (URL mismatch), SSO failures behind reverse proxy (add X-Forwarded-Proto header).

Keywords: google sign-in, oauth, oauth2, login, authentication, sso, single sign-on, client id, google cloud console, authorized javascript origins, user mapping, secure users, default fallback user, gmail, reverse proxy, X-Forwarded-Proto, AWS ALB, redirect loop, nginx proxy

Key Questions:

  • How do I enable Google Sign-In for VoIPmonitor GUI?
  • How do I create an OAuth client ID in Google Cloud Console?
  • Where do I configure the Google Client ID in VoIPmonitor?
  • Why do I see a blank window after clicking "Sign in with Google"?
  • How does VoIPmonitor map a Google email to a user profile?
  • What are the three methods for mapping Google users to VoIPmonitor profiles?
  • Can I use Google Sign-In with a custom login script?
  • What is the "Authorized JavaScript origins" setting and why is it important?
  • Why does Google Sign-In fail behind a reverse proxy or AWS ALB?
  • How do I fix redirect loops with Google Sign-In behind Nginx?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Google_Sign_in_usage&oldid=10021"