---
title: 'SSO Authentication Setup'
description: 'Configure Google OAuth 2.0 authentication for your Trading Analysis Dashboard'
---

## Overview

This guide will help you configure Google OAuth 2.0 authentication for secure access to your Trading Analysis Dashboard.

## Step 1: Create Google OAuth Application

<Steps>
  <Step title="Access Google Cloud Console">
    Visit [Google Cloud Console](https://console.cloud.google.com/) and sign in with your Google account
  </Step>
  
  <Step title="Create a New Project">
    - Click "Select a project" → "New Project"
    - Name: "Trading Dashboard"
    - Click "Create"
  </Step>
  
  <Step title="Enable Google+ API">
    - Go to "APIs & Services" → "Library"
    - Search for "Google+ API" and enable it
    - Also enable "Google Identity" if available
  </Step>
  
  <Step title="Create OAuth 2.0 Credentials">
    - Go to "APIs & Services" → "Credentials"
    - Click "Create Credentials" → "OAuth 2.0 Client IDs"
    - Choose "Web application"
    - Name: "Trading Dashboard Auth"
  </Step>
  
  <Step title="Configure Authorized URLs">
    Add the following URLs:
    
    **Authorized JavaScript origins:**
    - `https://performance.miningwood.com`
    - `http://localhost:8080` (for testing)
    
    **Authorized redirect URIs:**
    - `https://performance.miningwood.com/auth/callback`
    - `http://localhost:8080/auth/callback` (for testing)
  </Step>
  
  <Step title="Copy Credentials">
    Copy the "Client ID" and "Client Secret" for the next step
  </Step>
</Steps>

## Step 2: Configure Environment Variables

Update your `.env.docker` file with the OAuth credentials:

```bash .env.docker
# OAuth Configuration
GOOGLE_CLIENT_ID=your-actual-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=your-actual-client-secret

# Authorized Users (your email addresses)
AUTHORIZED_USERS=your-email@gmail.com,admin@company.com
```

<Warning>
  Never commit your `.env` files to version control. Keep them secure and out of your repository.
</Warning>

## Step 3: Update and Deploy

### Rebuild the application

```bash
docker compose build trading_app
docker compose restart trading_app
```

### Test the authentication

<Steps>
  <Step title="Visit your application">
    Navigate to `https://performance.miningwood.com`
  </Step>
  
  <Step title="Login">
    You should be redirected to the login page. Click "Sign in with Google"
  </Step>
  
  <Step title="Authorize">
    Authorize the application when prompted by Google
  </Step>
  
  <Step title="Access granted">
    You should be redirected back and logged in successfully
  </Step>
</Steps>

## Security Features

<CardGroup cols={2}>
  <Card title="OAuth 2.0 with Google" icon="shield-check">
    Industry standard authentication protocol
  </Card>
  <Card title="User Authorization" icon="users">
    Only specific email addresses can access
  </Card>
  <Card title="Session Management" icon="clock">
    Secure server-side sessions with expiration
  </Card>
  <Card title="HTTPS Enforcement" icon="lock">
    All authentication over encrypted connections
  </Card>
</CardGroup>

## User Management

### Add Users

Add email addresses to `AUTHORIZED_USERS` in `.env.docker`, separated by commas:

```bash
AUTHORIZED_USERS=user1@example.com,user2@example.com,user3@example.com
```

Then restart the application:

```bash
docker compose restart trading_app
```

### Remove Users

Remove email addresses from `AUTHORIZED_USERS` and restart the application.

<Note>
  Leave `AUTHORIZED_USERS` empty to allow all users (not recommended for production)
</Note>

## Troubleshooting

<AccordionGroup>
  <Accordion title="Authentication failed">
    - Check that Client ID and Secret are correct in `.env.docker`
    - Verify redirect URLs match exactly in Google Cloud Console
    - Ensure Google+ API is enabled
    - Check application logs: `docker compose logs trading_app`
  </Accordion>
  
  <Accordion title="Access denied">
    - Verify your email is in `AUTHORIZED_USERS`
    - Ensure email case matches exactly
    - Check for extra spaces in the email list
  </Accordion>
  
  <Accordion title="Login loop">
    - Clear browser cookies for your domain
    - Verify Flask secret key is set in `.env.docker`
    - Check session configuration in application logs
  </Accordion>
  
  <Accordion title="Callback URL mismatch">
    Ensure the redirect URIs in Google Cloud Console match your deployment:
    - Use `https://` for production
    - Include the exact domain and path
    - No trailing slashes
  </Accordion>
</AccordionGroup>

## Alternative OAuth Providers

You can also configure other OAuth providers:

<Tabs>
  <Tab title="GitHub OAuth">
    ```bash .env.docker
    GITHUB_CLIENT_ID=your-github-client-id
    GITHUB_CLIENT_SECRET=your-github-client-secret
    ```
    
    1. Create OAuth App at https://github.com/settings/developers
    2. Set Authorization callback URL to `https://your-domain.com/auth/callback`
  </Tab>
  
  <Tab title="Microsoft OAuth">
    ```bash .env.docker
    MICROSOFT_CLIENT_ID=your-microsoft-client-id
    MICROSOFT_CLIENT_SECRET=your-microsoft-client-secret
    ```
    
    1. Register app at https://portal.azure.com
    2. Add redirect URI in Authentication settings
  </Tab>
</Tabs>

<Info>
  Contact your administrator if you need help configuring alternative providers.
</Info>

## Testing OAuth Configuration

To test your OAuth setup locally:

```bash
# Start the application locally
docker compose up -d

# Check logs for any OAuth errors
docker compose logs -f trading_app

# Visit localhost
open http://localhost:8080
```

## Security Checklist

- [ ] OAuth credentials are stored in `.env` files, not in code
- [ ] `.env` files are in `.gitignore`
- [ ] `AUTHORIZED_USERS` list is properly configured
- [ ] HTTPS is enabled in production
- [ ] Strong `FLASK_SECRET_KEY` is set
- [ ] Redirect URIs are exact matches in Google Cloud Console
- [ ] Google+ API is enabled

## Next Steps

<CardGroup cols={2}>
  <Card title="Multi-User Setup" icon="users" href="/guides/setup/multi-user">
    Configure multi-user support with brokerage accounts
  </Card>
  <Card title="Deployment" icon="rocket" href="/guides/deployment/docker">
    Deploy your application to production
  </Card>
</CardGroup>