OAuth Settings

Configure OAuth and SSO authentication providers for secure login in ISPBills.

ISPBills supports OAuth-based Single Sign-On (SSO), allowing administrators and customers to authenticate using external identity providers. This simplifies the login experience and centralizes credential management.

OAuth settings affect the login page for all users. Test your configuration thoroughly before enabling it in production.

Overview

The OAuthSettingController manages OAuth provider configuration, including client credentials, redirect URIs, and scope definitions. Once configured, users see additional login options on the authentication page.

Supported Providers

ISPBills can integrate with any OAuth 2.0 compliant provider. Common providers include:

Provider Protocol Notes
Google OAuth 2.0 Workspace and personal accounts
Facebook OAuth 2.0 Useful for customer-facing portals
GitHub OAuth 2.0 Suitable for technical teams
Custom / Self-hosted OAuth 2.0 / OpenID Connect For organizations with their own identity server

You can enable multiple providers simultaneously. Each will appear as a separate login option.

Configuring OAuth

To set up a new OAuth provider:

  1. Navigate to the OAuth settings page.
  2. Select the provider type or choose custom for unsupported providers.
  3. Enter the required credentials:
    • Client ID — obtained from the provider's developer console.
    • Client Secret — obtained alongside the Client ID.
    • Authorization URL — the provider's authorization endpoint.
    • Token URL — the provider's token exchange endpoint.
    • Redirect URI — ISPBills generates this automatically; register it with the provider.
  4. Configure the requested scopes (e.g., email, profile).
  5. Map provider fields to ISPBills user attributes (email, name, etc.).
  6. Save and test the configuration.

Never share your Client Secret publicly. Store it securely and rotate it periodically according to your security policy.

Login Flow

When OAuth is enabled, the login process works as follows:

  1. The user visits the ISPBills login page.
  2. They click on the desired OAuth provider button.
  3. The browser redirects to the provider's authentication page.
  4. The user authenticates with the provider (enters credentials, completes MFA, etc.).
  5. The provider redirects back to ISPBills with an authorization code.
  6. ISPBills exchanges the code for an access token and retrieves the user's profile.
  7. If the profile matches an existing account, the user is logged in. Otherwise, a new account may be created based on your configuration.

Security Considerations

Misconfigured OAuth can create security vulnerabilities. Review these points carefully.

  • Restrict allowed domains — If using Google OAuth, limit to your organization's domain to prevent unauthorized access.
  • Enforce HTTPS — OAuth requires secure connections. Ensure your ISPBills instance uses a valid SSL certificate.
  • Token storage — Access tokens are stored securely server-side. They are never exposed to the browser.
  • Session management — OAuth sessions respect ISPBills' session timeout settings.
  • Account linking — Decide whether OAuth logins should auto-create accounts or only link to existing ones.
  • Audit logging — All OAuth login events are recorded in the system audit log for monitoring.