Skip to content
  • modules
  • admin
  • authentication

Authentication

SPEAR supports multiple authentication methods to integrate with your organization’s identity infrastructure. Configure password-based authentication, OAuth2/OpenID Connect providers, or a combination of both.

Authentication Methods

Section titled “Authentication Methods”
MethodDescriptionUse Case
PasswordLocal username/passwordStandalone deployments
OAuth2/OIDCThird-party identity providersEnterprise SSO
CombinedBoth password and OAuthFlexible access

Password Authentication

Section titled “Password Authentication”
🖥️ Password Settings Configuration Screenshot

Configuration

Section titled “Configuration”

Password authentication is enabled by default. Configure settings at Admin > Authentication > Password Settings.

SettingDescriptionDefault
Minimum LengthMinimum password characters8
Require UppercaseMust include uppercase lettersYes
Require LowercaseMust include lowercase lettersYes
Require NumbersMust include numeric charactersYes
Require SpecialMust include special charactersNo
Password ExpiryDays until password expires0 (never)

Password Reset

Section titled “Password Reset”

Users can reset passwords via email if SMTP is configured:

  1. User clicks “Forgot Password” on login page
  2. Reset link sent to registered email
  3. User sets new password via link
  4. Old sessions are invalidated

OAuth2 / OpenID Connect

Section titled “OAuth2 / OpenID Connect”
🖥️ OAuth Provider Configuration Screenshot

Supported Providers

Section titled “Supported Providers”

SPEAR supports standard OAuth2/OIDC providers:

ProviderProtocolNotes
Google WorkspaceOIDCEmail domain restriction available
Microsoft Entra IDOIDCAzure AD / Office 365
GitHubOAuth2Organization membership checks
GitLabOAuth2Self-hosted supported
OktaOIDCEnterprise identity
Custom OIDCOIDCAny compliant provider

Configuration Steps

Section titled “Configuration Steps”
  1. Navigate to Admin > Authentication > OAuth Providers
  2. Click Add Provider
  3. Select provider type
  4. Enter configuration:
    • Client ID
    • Client Secret
    • Redirect URI (provided by SPEAR)
    • Additional scopes (if needed)
  5. Test the connection
  6. Enable the provider

Google Workspace Setup

Section titled “Google Workspace Setup”
  1. Go to Google Cloud Console
  2. Create or select a project
  3. Navigate to APIs & Services > Credentials
  4. Click Create Credentials > OAuth client ID
  5. Select Web application
  6. Add authorized redirect URI from SPEAR
  7. Copy Client ID and Client Secret to SPEAR

Microsoft Entra ID Setup

Section titled “Microsoft Entra ID Setup”
  1. Go to Azure Portal
  2. Navigate to Azure Active Directory > App registrations
  3. Click New registration
  4. Enter name and select supported account types
  5. Add redirect URI from SPEAR
  6. Copy Application (client) ID
  7. Create client secret under Certificates & secrets
  8. Configure in SPEAR

GitHub Setup

Section titled “GitHub Setup”
  1. Go to GitHub Settings > Developer settings > OAuth Apps
  2. Click New OAuth App
  3. Enter application details
  4. Add authorization callback URL from SPEAR
  5. Copy Client ID and generate Client Secret
  6. Configure in SPEAR

Session Management

Section titled “Session Management”
🖥️ Session Management Settings Screenshot

Session Settings

Section titled “Session Settings”

Configure session behavior at Admin > Authentication > Sessions.

SettingDescriptionDefault
Session TimeoutInactive session expiry24 hours
Max SessionsMaximum concurrent sessions per userUnlimited
Remember MeExtended session duration30 days
Secure CookiesRequire HTTPS for cookiesAuto

Active Sessions

Section titled “Active Sessions”

Users can view and manage their active sessions:

  1. Go to Account Settings > Sessions
  2. View list of active sessions with:
    • Device/browser information
    • IP address
    • Last activity
  3. Click Revoke to end specific sessions
  4. Click Revoke All to end all other sessions

Admin Session Management

Section titled “Admin Session Management”

Administrators can manage user sessions:

  1. Navigate to Admin > Security > Active Sessions
  2. View all active sessions across users
  3. Filter by user, IP, or activity
  4. Revoke sessions as needed

Multi-Factor Authentication

Section titled “Multi-Factor Authentication”

Planned MFA methods:

  • TOTP (Google Authenticator, Authy)
  • WebAuthn / Passkeys
  • Email verification codes

Single Sign-On (SSO)

Section titled “Single Sign-On (SSO)”

SSO Behavior

Section titled “SSO Behavior”

When OAuth providers are configured:

  1. User clicks provider button on login page
  2. Redirected to identity provider
  3. User authenticates with provider
  4. Redirected back to SPEAR with authorization code
  5. SPEAR exchanges code for user information
  6. User account created or linked automatically
  7. Session established

Account Linking

Section titled “Account Linking”

When a user signs in via OAuth and an account with matching email exists:

  • Auto-link enabled: Accounts are automatically linked
  • Auto-link disabled: User must verify ownership first

Configure at Admin > Authentication > Account Linking.

Email Domain Restriction

Section titled “Email Domain Restriction”

Restrict OAuth sign-ups to specific email domains:

  1. Go to Admin > Authentication > OAuth Providers
  2. Select provider
  3. Add allowed domains (e.g., yourcompany.com)
  4. Save changes

Users with non-matching email domains cannot create accounts.

Just-In-Time Provisioning

Section titled “Just-In-Time Provisioning”

When enabled, new users are automatically created on first OAuth login:

SettingDescription
Auto-create usersCreate account on first OAuth login
Default groupGroup to assign new users
Email domain filterOnly provision from specific domains

Configure at Admin > Authentication > Provisioning.

Security Recommendations

Section titled “Security Recommendations”

For Password Authentication

Section titled “For Password Authentication”
  • Enable password complexity requirements
  • Set password expiry for sensitive environments
  • Configure account lockout after failed attempts
  • Require password change on first login

For OAuth/SSO

Section titled “For OAuth/SSO”
  • Use OIDC over plain OAuth2 when available
  • Restrict to specific email domains
  • Disable password auth if SSO-only desired
  • Monitor for unusual login patterns

General

Section titled “General”
  • Enable HTTPS (required for OAuth)
  • Set appropriate session timeouts
  • Regular audit log review
  • Disable unused authentication methods

Troubleshooting

Section titled “Troubleshooting”

OAuth Login Fails

Section titled “OAuth Login Fails”

“Redirect URI mismatch”

  • Verify redirect URI in provider matches exactly
  • Check for http vs https mismatch
  • Ensure no trailing slashes

“Invalid client”

  • Verify Client ID is correct
  • Check if credentials were rotated

“Access denied”

  • User may not have permission in identity provider
  • Check email domain restrictions

Password Reset Not Working

Section titled “Password Reset Not Working”
  1. Verify SMTP is configured correctly
  2. Check spam/junk folders
  3. Verify user email address is correct
  4. Check SMTP logs for delivery errors

Session Issues

Section titled “Session Issues”

User logged out unexpectedly

  • Check session timeout settings
  • Verify secure cookie settings match HTTPS status
  • Check for IP address changes (VPN, mobile)

Can’t maintain session

  • Clear browser cookies
  • Check browser privacy settings
  • Verify clock synchronization