Google Sign in usage: Difference between revisions

Latest revision as of 16:47, 8 January 2026

Enable users to log into VoIPmonitor GUI using their Google accounts via OAuth 2.0.

Overview

Google Sign-In maps a user's Google email to a VoIPmonitor profile to assign permissions. The matching logic:

Direct Email Match: Username matches the Google email exactly.
Secure Users List: Email found in "Gmail emails" field under user's "Secure users" tab.
Default Fallback: User marked as "Default Google Sign-In email" receives all unmatched logins.

Configuration

Step 1: Create Google OAuth Credentials

Go to Google Cloud Console > APIs & Credentials
Click + CREATE CREDENTIALS → OAuth client ID
Configure:
- Application type: Web application
- Name: e.g., "VoIPmonitor GUI Login"
- Authorized JavaScript origins: Your GUI URL (e.g., https://voipmonitor.example.com)
- Authorized redirect URIs: Same as above (optional but recommended)
Copy the generated Client ID

⚠️ Warning: The Authorized JavaScript origins URL must exactly match your GUI URL, including https://. This is the most common cause of login failures.

Step 2: Configure VoIPmonitor GUI

Navigate to Settings → System Configuration → Authentication:

Option	Value	Description
Enable Google Sign in	Yes	Activates the feature
Google client ID	your-client-id	From Google Cloud Console
Don't display local login form	Yes/No	Hides username/password form (optional)
Don't display Google Sign in button	Yes/No	Temporarily hides Google button (optional)

Step 3: Map Users

Ensure users exist in Settings → Users with one of:

Username matching Google email exactly
Google email added to user's Secure users tab → "Gmail emails" field
One user designated as Default Google Sign-In email (Basic data tab)

Troubleshooting

Problem	Cause	Solution
Blank window after clicking Sign-In	Incorrect "Authorized JavaScript origins" in Google Console	Verify URL matches exactly, including `https://`
Unable to log in or set password	Account configuration issues (common with Cloud Trial)	Create a new user account instead
SSO fails behind reverse proxy (AWS ALB, Nginx)	Proxy terminates SSL, GUI sees HTTP	Add header: `proxy_set_header X-Forwarded-Proto $scheme;`
Redirect loops	Missing protocol header behind proxy	See Nginx for complete proxy configuration

Advanced: Custom Login Scripts

Google Sign-In works with custom login scripts:

VoIPmonitor passes the authenticated email to your script
Script must return JSON per Custom Login API
GUI-defined users take precedence over script-authenticated users

AI Summary for RAG

Summary: Guide for integrating Google Sign-In (OAuth 2.0) with VoIPmonitor GUI. User mapping uses three methods: (1) direct email match, (2) "Secure users" Gmail list, (3) default fallback user. Configuration requires creating OAuth client ID in Google Cloud Console with correct "Authorized JavaScript origins" URL (must match exactly including https://), then enabling in GUI under Settings → System Configuration → Authentication. Common issues: blank window (URL mismatch), SSO failures behind reverse proxy (add X-Forwarded-Proto header).

Keywords: google sign-in, oauth, oauth2, login, authentication, sso, single sign-on, client id, google cloud console, authorized javascript origins, user mapping, secure users, default fallback user, gmail, reverse proxy, X-Forwarded-Proto, AWS ALB, redirect loop, nginx proxy

Key Questions:

How do I enable Google Sign-In for VoIPmonitor GUI?
How do I create an OAuth client ID in Google Cloud Console?
Where do I configure the Google Client ID in VoIPmonitor?
Why do I see a blank window after clicking "Sign in with Google"?
How does VoIPmonitor map a Google email to a user profile?
What are the three methods for mapping Google users to VoIPmonitor profiles?
Can I use Google Sign-In with a custom login script?
What is the "Authorized JavaScript origins" setting and why is it important?
Why does Google Sign-In fail behind a reverse proxy or AWS ALB?
How do I fix redirect loops with Google Sign-In behind Nginx?

@@ Line 1: / Line 1: @@
 {{DISPLAYTITLE:How to Set Up Google Sign-In (OAuth)}}
-'''This guide provides a complete, step-by-step tutorial for enabling users to log into the VoIPmonitor GUI using their Google accounts via the OAuth 2.0 protocol.'''
+'''Enable users to log into VoIPmonitor GUI using their Google accounts via OAuth 2.0.'''
-== Overview: What is Google Sign-In? ==
+== Overview ==
-Integrating Google Sign-In provides a convenient and secure way for your users to access the VoIPmonitor GUI. Instead of creating and remembering a separate password for VoIPmonitor, they can use their existing, trusted Google account.
-The process works by linking a user's Google email address to a user profile inside VoIPmonitor. When a user authenticates with Google, VoIPmonitor uses their email address to find their corresponding profile and apply the correct permissions.
+Google Sign-In maps a user's Google email to a VoIPmonitor profile to assign permissions. The matching logic:
-=== How User Permissions Are Assigned ===
+# '''Direct Email Match:''' Username matches the Google email exactly.
-VoIPmonitor uses the following logic to map a logged-in Google user to a GUI profile:
+# '''Secure Users List:''' Email found in "Gmail emails" field under user's "Secure users" tab.
-#'''Direct Email Match:''' First, it checks if a user exists in the GUI whose email is an exact match for the Google email address returned from auth.
+# '''Default Fallback:''' User marked as "Default Google Sign-In email" receives all unmatched logins.
-#'''Secure Users List:''' If no direct match is found, it checks the "Gmail emails" list under the "Secure users" tab of '''all''' user profiles. If a match is found, the permissions of that profile are used. This allows multiple Google accounts to be mapped to a single VoIPmonitor profile.
-#'''Default Fallback User:''' If still no match is found, it checks if any user has been designated as the "Default Google Sign-In email" account. If so, all unmatched Google users will inherit the permissions of this default profile.
-== Part 1: Creating Google OAuth 2.0 Credentials ==
+<kroki lang="mermaid">
-Before you can enable this feature in VoIPmonitor, you must create your own "OAuth client ID" within the Google Cloud Platform console.
+%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 40}}}%%
+flowchart TD
+    A[User clicks Google Sign-In] --> B[Google OAuth]
+    B --> C{Direct Email Match?}
+    C -->|Yes| D[Use matched user]
+    C -->|No| E{In Secure Users list?}
+    E -->|Yes| F[Use that profile]
+    E -->|No| G{Default user exists?}
+    G -->|Yes| H[Use default user]
+    G -->|No| I[Login denied]
+</kroki>
-;Step 1: Go to the Google Cloud Console
+== Configuration ==
-:Navigate to [https://console.cloud.google.com/apis/credentials https://console.cloud.google.com/apis/credentials].
-;Step 2: Create New Credentials
+=== Step 1: Create Google OAuth Credentials ===
-:Click '''+ CREATE CREDENTIALS''' at the top of the page and select '''OAuth client ID'''.
-;Step 3: Configure the OAuth Client ID
+# Go to [https://console.cloud.google.com/apis/credentials Google Cloud Console > APIs & Credentials]
-:* '''Application type:''' Select '''Web application'''.
+# Click '''+ CREATE CREDENTIALS''' → '''OAuth client ID'''
-:* '''Name:''' Give it a descriptive name, like "VoIPmonitor GUI Login".
+# Configure:
-:* '''Authorized JavaScript origins:''' This is a '''critical''' step. You must add the full URL of your VoIPmonitor GUI here. For example, `https://voipmonitor.example.com`. Note that Google requires these URLs to use '''HTTPS'''.
+#* '''Application type:''' Web application
-:* '''Authorized redirect URIs:''' This can often be left blank, but for best practice, you should add the URL of your GUI's login page.
+#* '''Name:''' e.g., "VoIPmonitor GUI Login"
+#* '''Authorized JavaScript origins:''' Your GUI URL (e.g., <code>https://voipmonitor.example.com</code>)
+#* '''Authorized redirect URIs:''' Same as above (optional but recommended)
+# Copy the generated '''Client ID'''
-;Step 4: Get Your Client ID
+{{Warning|1=The '''Authorized JavaScript origins''' URL must exactly match your GUI URL, including <code>https://</code>. This is the most common cause of login failures.}}
-:After creation, a pop-up will display your '''Client ID'''. It will look something like `1234567890-abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com`. Copy this value; you will need it in the next part.
-;Step 5: Configure the OAuth Consent Screen
+=== Step 2: Configure VoIPmonitor GUI ===
-:You may be prompted to configure the "OAuth consent screen." This is the page your users will see when they first authorize the application. You only need to fill in the basic required information, such as an application name and user support email.
-== Part 2: Configuring VoIPmonitor ==
+Navigate to '''Settings → System Configuration → Authentication''':
-With your Google Client ID in hand, you can now enable and configure the integration in the GUI.
-;Step 1: Enable Google Sign-In
+{| class="wikitable"
-:Navigate to '''Settings -> System Configuration -> Authentication'''.
+! Option !! Value !! Description
-:* Find the option '''Enable Google Sign in''' and set it to '''Yes'''.
+|-
+| Enable Google Sign in || Yes || Activates the feature
+|-
+| Google client ID || ''your-client-id'' || From Google Cloud Console
+|-
+| Don't display local login form || Yes/No || Hides username/password form (optional)
+|-
+| Don't display Google Sign in button || Yes/No || Temporarily hides Google button (optional)
+|}
-;Step 2: Enter Your Client ID
+=== Step 3: Map Users ===
-:* Find the option '''Google client ID for Google Sign in'''.
-:* Paste the Client ID you obtained from the Google Cloud Console into this field. If you leave it blank, VoIPmonitor will use a default, shared client ID, but it is '''highly recommended''' to use your own.
-;Step 3: (Optional) Hide the Login Button
+Ensure users exist in '''Settings → Users''' with one of:
-:* If you want to ''only'' allow Google login and hide the standard username/password form, you can set '''Don't display local login form''' to '''Yes'''.
+* Username matching Google email exactly
-:* The '''Don't display Google Sign in button''' option allows you to hide the "G" button if you need to temporarily disable the feature without losing your settings.
+* Google email added to user's '''Secure users''' tab → "Gmail emails" field
+* One user designated as '''Default Google Sign-In email''' (Basic data tab)
-;Step 4: Create User Mappings
+== Troubleshooting ==
-:Ensure that user accounts exist in '''Settings -> Users''' with usernames that match the Google email addresses of the users who will be logging in, or use the "Secure users" or "Default" mapping methods described in the overview.
-== Troubleshooting ==
+{| class="wikitable"
-;Problem: After clicking the "Sign in with Google" button, a blank window or pop-up appears and nothing happens.
+! Problem !! Cause !! Solution
-:* '''Cause:''' This is almost always caused by an incorrect configuration of the '''Authorized JavaScript origins''' in your Google Cloud Console credentials.
+|-
-:* '''Solution:''' Go back to your OAuth client ID settings in the Google Cloud Console and ensure that the URL you entered exactly matches the URL of your VoIPmonitor GUI, including the `https://` prefix.
+| '''Blank window after clicking Sign-In''' || Incorrect "Authorized JavaScript origins" in Google Console || Verify URL matches exactly, including <code>https://</code>
+|-
+| '''Unable to log in or set password''' || Account configuration issues (common with Cloud Trial) || Create a new user account instead
+|-
+| '''SSO fails behind reverse proxy''' (AWS ALB, Nginx) || Proxy terminates SSL, GUI sees HTTP || Add header: <code>proxy_set_header X-Forwarded-Proto $scheme;</code>
+|-
+| '''Redirect loops''' || Missing protocol header behind proxy || See [[Nginx]] for complete proxy configuration
+|}
+== Advanced: Custom Login Scripts ==
+Google Sign-In works with custom login scripts:
+* VoIPmonitor passes the authenticated email to your script
+* Script must return JSON per [[WEB_API#Custom_Login|Custom Login API]]
+* GUI-defined users take precedence over script-authenticated users
+== See Also ==
-== Advanced Usage: Custom Login Scripts ==
+* [[Microsoft_Sign_in_usage]] - Microsoft Entra ID / Azure AD integration
-The Google Sign-In feature is compatible with custom login scripts.
+* [[2FA]] - Two-factor authentication
-* When a user authenticates, VoIPmonitor will pass the user's email address to your custom script.
+* [[WEB_API#Custom_Login]] - Custom login scripts (LDAP, etc.)
-* Your script must then perform its logic and return a JSON structure as described in the [[WEB_API#Custom_Login|Custom Login API documentation]].
+* [[User_Management]] - User account management
-* Note that users defined directly within the VoIPmonitor GUI will always take precedence over users authenticated via a custom login script.
 == AI Summary for RAG ==
-'''Summary:''' This guide provides a complete tutorial on integrating Google Sign-In with the VoIPmonitor GUI using OAuth 2.0. It explains how the feature works by mapping a user's Google email to an internal GUI user profile to assign permissions, detailing the three matching methods (direct email, "Secure users" list, and default fallback user). The guide is structured into two main parts. Part 1 provides a step-by-step process for creating an "OAuth client ID" in the Google Cloud Platform console, emphasizing the critical importance of correctly configuring the "Authorized JavaScript origins." Part 2 details the configuration within the VoIPmonitor GUI under "Settings -> System Configuration," including enabling the feature and entering the custom Google Client ID. It also includes a troubleshooting section for common problems like a blank login window and notes on integration with custom login scripts.
-'''Keywords:''' google sign-in, oauth, oauth2, login, authentication, google login, sso, single sign-on, api, credentials, client id, google cloud console, authorized javascript origins, user mapping, custom login
+'''Summary:''' Guide for integrating Google Sign-In (OAuth 2.0) with VoIPmonitor GUI. User mapping uses three methods: (1) direct email match, (2) "Secure users" Gmail list, (3) default fallback user. Configuration requires creating OAuth client ID in Google Cloud Console with correct "Authorized JavaScript origins" URL (must match exactly including https://), then enabling in GUI under Settings → System Configuration → Authentication. Common issues: blank window (URL mismatch), SSO failures behind reverse proxy (add X-Forwarded-Proto header).
+'''Keywords:''' google sign-in, oauth, oauth2, login, authentication, sso, single sign-on, client id, google cloud console, authorized javascript origins, user mapping, secure users, default fallback user, gmail, reverse proxy, X-Forwarded-Proto, AWS ALB, redirect loop, nginx proxy
 '''Key Questions:'''
-* How can I enable users to log in with their Google account?
+* How do I enable Google Sign-In for VoIPmonitor GUI?
-* What is Google OAuth 2.0 and how does it work with VoIPmonitor?
+* How do I create an OAuth client ID in Google Cloud Console?
-* How do I create an OAuth client ID in the Google Cloud Console?
+* Where do I configure the Google Client ID in VoIPmonitor?
-* Where do I configure the Google Client ID in the VoIPmonitor GUI?
+* Why do I see a blank window after clicking "Sign in with Google"?
-* Why do I see a blank window after clicking the "Sign in with Google" button?
+* How does VoIPmonitor map a Google email to a user profile?
-* How does VoIPmonitor map a Google email to a user with permissions?
+* What are the three methods for mapping Google users to VoIPmonitor profiles?
 * Can I use Google Sign-In with a custom login script?
+* What is the "Authorized JavaScript origins" setting and why is it important?
+* Why does Google Sign-In fail behind a reverse proxy or AWS ALB?
+* How do I fix redirect loops with Google Sign-In behind Nginx?
+[[Category:Authentication]]
+[[Category:Configuration]]
+[[Category:GUI]]