Skip to main content

Configure Google OIDC SSO

Learn how to set up Google SSO with OpenID Connect (OIDC).

Follow this guide to configure Google SSO using OpenID Connect (OIDC). Refer to the Sign in with Google to configure SSO using Sign in with Google.

Requirements

To configure Google OIDC SSO, you must:

  • Have admin permissions on Retool Cloud or permissions to add environment variables on self-hosted Retool instances.
  • Have permissions to create a Google OAuth Client.

1. Create a Google OAuth Client ID

Go to your Google Developer Console and create an OAuth client ID.

If you are asked to configure an OAuth consent screen, select Internal. Configure the app as a Web application and enter https://retool.your-company.com/oauth2sso/callback under Authorized redirect URIs > URIs.

Save your Client ID and Client secret.

2. Configure settings in Retool

Google requires the URL parameters access_type=offline and prompt=consent to obtain refresh tokens, so you should include these in your Auth URL variable.

Configure SSO settings in Retool.

When possible, use the Settings UI to configure SSO for a more streamlined setup. Existing environment variables pre-populate in the Settings UI, which you can override or preserve. Some settings are only available as environment variables.

On Retool Cloud and self-hosted Retool versions 3.16 and later, enter settings on Settings > Single Sign-On (SSO).

SettingExample
Client ID22222222222-dq62o6pidgmgrem34fb07klc8qa1308t.apps.googleusercontent.com
Client secretxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Scopesopenid email profile https://www.googleapis.com/auth/userinfo.profile
Auth URLhttps://accounts.google.com/o/oauth2/v2/auth?access_type=offline&prompt=consent
Token URLhttps://oauth2.googleapis.com/token
Email keyidToken.email
First name keyidToken.given_name
Last name keyidToken.family_name