Configure Google OIDC SSO

📘

SSO with Google OIDC is only available for organizations on the Enterprise plan running self-hosted Retool.

📘

Follow this guide to configure Google SSO using OpenID Connect (OIDC). Refer to the Sign in with Google to configure SSO using Sign in with Google.

1. Create a new Google OAuth Client ID

2. You might be asked to configure an OAuth consent screen. If that is required, you should simply select "Internal"

3. Configure the app as a Web Application and with the correct redirect URI

4. Obtain your Client ID and Client Secret

5. Take this information and translate them to environment variables for Retool:

Here's an example of how you might configure your SSO integration:

CUSTOM_OAUTH2_SSO_CLIENT_ID=22222222222-dq62o6pidgmgrem34fb07klc8qa1308t.apps.googleusercontent.com
CUSTOM_OAUTH2_SSO_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
CUSTOM_OAUTH2_SSO_SCOPES=openid email profile https://www.googleapis.com/auth/userinfo.profile
CUSTOM_OAUTH2_SSO_AUTH_URL=https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&prompt=consent
CUSTOM_OAUTH2_SSO_TOKEN_URL=https://oauth2.googleapis.com/token
CUSTOM_OAUTH2_SSO_JWT_EMAIL_KEY=idToken.email
CUSTOM_OAUTH2_SSO_JWT_FIRST_NAME_KEY=idToken.given_name
CUSTOM_OAUTH2_SSO_JWT_LAST_NAME_KEY=idToken.family_name
CUSTOM_OAUTH2_SSO_ACCESS_TOKEN_LIFESPAN_MINUTES=45

📘

A few non-standard options

Google requires the URL parameters access_type=offline and prompt=consent in order to obtain refresh tokens. This is why the CUSTOM_OAUTH2_SSO_AUTH_URL variable includes both of those in the URL. Google's tokens also expire after 1 hour. By default, our integration refreshes tokens if they are older than 2 hours. For this reason, we've also set the CUSTOM_OAUTH2_SSO_ACCESS_TOKEN_LIFESPAN_MINUTES variable to 45 in order to refresh the tokens more frequently.