Configure Google OIDC SSO

Learn how to set up Google SSO with OpenID Connect (OIDC).


SSO with Google OIDC is only available for organizations on the Enterprise plan running self-hosted Retool.


Follow this guide to configure Google SSO using OpenID Connect (OIDC). Refer to the Sign in with Google to configure SSO using Sign in with Google.

  1. Create a new Google OAuth Client ID

  1. You might be asked to configure an OAuth consent screen. If that is required, you should simply select "Internal"

  2. Configure the app as a Web Application and with the correct redirect URI

  1. Obtain your Client ID and Client Secret

  1. Take this information and translate them to environment variables for Retool:

Here's an example of how you might configure your SSO integration:
CUSTOM_OAUTH2_SSO_SCOPES=openid email profile


A few non-standard options

Google requires the URL parameters access_type=offline and prompt=consent in order to obtain refresh tokens. This is why the CUSTOM_OAUTH2_SSO_AUTH_URL variable includes both of those in the URL. Google's tokens also expire after 1 hour. By default, our integration refreshes tokens if they are older than 2 hours. For this reason, we've also set the CUSTOM_OAUTH2_SSO_ACCESS_TOKEN_LIFESPAN_MINUTES variable to 45 in order to refresh the tokens more frequently.