External users unable to log in to retool app via google and unable to reset password

We have 2 external users who are facing the same issues. They signed up via google auth and they are now unable to log in via google. Trying to do so will bring them to a loop and they will be redirected back to the log in page again and again.

We have asked them to

  1. reinstall the app
  2. log in and log out of their google accounts
  3. Reset password (with forget password)
  4. Reset password (with reset password link)

Methods 1 to 2 did not work, 3 and 4 resulted in "Failed to confirm password reset, invalid token".

This problem has come up a few times and we had to reset the users password by ourselves and give them a temporary password. It is not ideal when you have lots of users. Please help resolve. We are using retool cloud

Hi @Alexis_Liu, welcome to the forum! :wave:

I'm sorry your users are experiencing this issue. This post should help with getting them access to the org again:

On the other hand, do you have a custom domain?

Hi Paulo,

After reading the article, I assume you are suggesting we turn on passwordless login, and we will need to reset their google login for that to work? Or we do not have to do that?

I am not sure if this solves the problem of google login leading them into a loop.

We do have a custom domain.

That's correct. I recommend enabling passwordless login for your users so they can reset their Google Login and be prompted to set a new password. This will allow them to log back in using their email and password credentials.

When we have a custom domain, signing in with Google is not available by default:

The reason is that Google expects a fixed list of domains from which the requests will come, and we can't account for every possible custom domain.

I believe the root cause of this issue is that on the user invite email, we include a button to Sign up with Google, this button should not be present if we have a custom domain. If your users were able to sign up with Google in the first place, that means there's a bug on our end.

  • Were the invites sent out before a custom domain was set up?
  • If not, could you confirm with your users if they see this button on the invite email?

To make sure I understand what you are saying here:
What happened was during invite, the external user signed up via google (button should not exist) whilst on our custom domain. If they use that method, they will face the issue I have stated above?

I've checked our invites and yes they will see the Google sign up button on their email. The invites were also sent out after we had custom domain enabled. You are right that there is a bug.

That being said, for our Retool Mobile app, which is mostly used by external users, there is the ability to log in via google and that directs users to .retool.com - not sure if that should have avoided the issue.

That is correct. If you have a custom domain set up, the Sign up with Google button should only be present if you have configured Google SSO. We just tested this on our end and it seems to be working fine. For example, here is the 'Claim invitation page' from an org without Google SSO configured:

So there are two things that could be going on here:

  1. We have Google SSO set up but there's an issue with the configuration.
  2. The invite email is redirecting the end user to the non-custom domain.

To check the first one:
Do you have Google SSO set up? You can find this under your org's settings.

Context on the second one:
On the non-custom domain, we always show Google SSO. This is what makes me think that maybe your users have been redirected to the non-custom domain (e.g. mysubdomain.retool.com/auth/invite/3243....)

From the same doc:

The Sign in with Google option is not available by default when accessing the login page using your custom domain. You must configure Google SSO for your custom domain to make it available. Users can still log in using Sign in with Google at <your_subdomain>.retool.com/auth/login or login.retool.com/auth/login until you make this change.

This is the reason why your users are still able to log in by clicking that button on the Mobile App, they are redirected to the non-custom domain.

We are on the business plan, which means we do not have access to SSO (enterprise) and it is not turned on.

It is likely the second scenario, I'll send you an invite.

Custom SSO is only available on Enterprise but Google SSO is now available on a Business plan.:slightly_smiling_face:

The last screenshot I shared is from an organization on a Business plan. Could you confirm that your SSO settings are set to None?

Here's what I see on mine


We can log in via google so i assume Google SSO settings are turned on but I cant seem to find where it is.

It is very strange to me that our company's settings are tied to an external apps' log in methods when external users are unable to use it. What do you recommend us to do next?

We should be able to set up SSO on a Business plan, as the feature was recently added to this plan. The fact that you don't see the option makes me think it is, in fact, a bug on our end.

I surfaced this internally. While we figure out why you don't see this option (and fix it), there are two things we can do:

  1. Remove the custom domain for the time being.
  2. Create a custom login page and attach this event handler to a button:

However, the sign-in page users will be redirected to when they click the button will show Retool.com as the domain instead of your custom domain.

I'm sorry for the delayed response. We were out of the office for the holidays.

Happy New Year! :slightly_smiling_face:

@Alexis_Liu, please recheck your organization's SSO settings and let us know if you still don't see the option to set up Google SSO.

I have the same problem except I am not an external user and we do not have a custom domain:

Trying to log in with Google Auth starts a loop, and I am redirected back to the log in page again and again. Interestingly, I did get an email notification that I logged in from X.Y.Z IP address, so retool thinks I am logging in.

1 Like

Are we using a custom login page or the Retool managed one?