Configure Sign in with Google

Learn how to configure Sign in with Google for SSO on self-hosted deployments.

You can configure SSO using the Sign in with Google following this guide. This guide applies to Retool Cloud and self-hosted deployments.

note

Follow this guide to configure Sign-in with Google. Refer to the Google SSO with OpenID Connect guide to configure Google SSO using OIDC.

1. Configure Google OAuth client

If you are prompted to configure a consent screen, select Internal as the User type.

Click Create Credentials > OAuth client ID to create a Google OAuth client. Use the following settings if you have a custom domain set on your organization.

Setting name	Setting values
Application type	Web application
Authorized JavaScript origins	`https://<your_base_domain>.com`
Authorized redirect URIs	`https://<your_base_domain>.com/oauth/oauthcallback` `https://<your_base_domain>.com/oauth/oauth` `https://<your_base_domain>.com/oauth/oauthcallback/mobile` (for Retool Mobile only)

If you are using Retool Cloud, you must also set the following authorized redirect URIs to enable Sign-in with Google:

https://login.retool.com/oauthcallback
https://login.retool.com/oauthcallback/cli
https://login.retool.com/oauth/oauthcallback

2. Update settings in Retool

Click on your new OAuth application in the Credentials tab, and copy the Client ID and Client secret.

Retool Cloud
Self-hosted deployments

Visit Settings > Custom SSO, select Google SSO, and add your Client ID and Client Secret.

In your docker.env file, set your Client ID and Client Secret as the values of the CLIENT_ID and CLIENT_SECRET environment variables. Set the BASE_DOMAIN environment variable as well so Google redirects requests correctly.

If you use Kubernetes Secrets, place the base64-encoded version of these strings inside your Kubernetes secrets file instead of in docker.env.

CLIENT_ID={YOUR_GOOGLE_CLIENT_ID}
CLIENT_SECRET={YOUR_GOOGLE_CLIENT_SECRET}

To automatically provision users on sign-in, set the DEFAULT_GROUP_FOR_DOMAINS environment variable.

DEFAULT_GROUP_FOR_DOMAINS=example1.org -> admin, example2.com -> viewer

If you want to restrict sign-in to SSO and remove the option for users to sign in with a username and password, add the RESTRICTED_DOMAIN environment variable.

RESTRICTED_DOMAIN=yourcompany.com

When setting RESTRICTED_DOMAIN, do not include the protocol or subdomain where you have Retool deployed. Only use yourcompany.com, which should match the email address users use to sign in. See the environment variables reference for more details.

Restart the Retool instance

Restart your Retool instance to reload the configuration and enable Google SSO. If you use Docker, you can restart the instance with docker-compose up.

sudo docker-compose up -d

1. Configure Google OAuth client​

2. Update settings in Retool​

Restart the Retool instance​

1. Configure Google OAuth client

2. Update settings in Retool

Restart the Retool instance