We have 2 external users who are facing the same issues. They signed up via google auth and they are now unable to log in via google. Trying to do so will bring them to a loop and they will be redirected back to the log in page again and again.
We have asked them to
reinstall the app
log in and log out of their google accounts
Reset password (with forget password)
Reset password (with reset password link)
Methods 1 to 2 did not work, 3 and 4 resulted in "Failed to confirm password reset, invalid token".
This problem has come up a few times and we had to reset the users password by ourselves and give them a temporary password. It is not ideal when you have lots of users. Please help resolve. We are using retool cloud
After reading the article, I assume you are suggesting we turn on passwordless login, and we will need to reset their google login for that to work? Or we do not have to do that?
I am not sure if this solves the problem of google login leading them into a loop.
That's correct. I recommend enabling passwordless login for your users so they can reset their Google Login and be prompted to set a new password. This will allow them to log back in using their email and password credentials.
When we have a custom domain, signing in with Google is not available by default:
The reason is that Google expects a fixed list of domains from which the requests will come, and we can't account for every possible custom domain.
I believe the root cause of this issue is that on the user invite email, we include a button to Sign up with Google, this button should not be present if we have a custom domain. If your users were able to sign up with Google in the first place, that means there's a bug on our end.
Were the invites sent out before a custom domain was set up?
If not, could you confirm with your users if they see this button on the invite email?
To make sure I understand what you are saying here:
What happened was during invite, the external user signed up via google (button should not exist) whilst on our custom domain. If they use that method, they will face the issue I have stated above?
I've checked our invites and yes they will see the Google sign up button on their email. The invites were also sent out after we had custom domain enabled. You are right that there is a bug.
That being said, for our Retool Mobile app, which is mostly used by external users, there is the ability to log in via google and that directs users to .retool.com - not sure if that should have avoided the issue.
That is correct. If you have a custom domain set up, the Sign up with Google button should only be present if you have configured Google SSO. We just tested this on our end and it seems to be working fine. For example, here is the 'Claim invitation page' from an org without Google SSO configured:
Context on the second one:
On the non-custom domain, we always show Google SSO. This is what makes me think that maybe your users have been redirected to the non-custom domain (e.g. mysubdomain.retool.com/auth/invite/3243....)
The Sign in with Google option is not available by default when accessing the login page using your custom domain. You must configure Google SSO for your custom domain to make it available. Users can still log in using Sign in with Google at <your_subdomain>.retool.com/auth/login or login.retool.com/auth/login until you make this change.
This is the reason why your users are still able to log in by clicking that button on the Mobile App, they are redirected to the non-custom domain.
We can log in via google so i assume Google SSO settings are turned on but I cant seem to find where it is.
It is very strange to me that our company's settings are tied to an external apps' log in methods when external users are unable to use it. What do you recommend us to do next?
We should be able to set up SSO on a Business plan, as the feature was recently added to this plan. The fact that you don't see the option makes me think it is, in fact, a bug on our end.
I surfaced this internally. While we figure out why you don't see this option (and fix it), there are two things we can do:
Remove the custom domain for the time being.
Create a custom login page and attach this event handler to a button:
I have the same problem except I am not an external user and we do not have a custom domain:
Trying to log in with Google Auth starts a loop, and I am redirected back to the log in page again and again. Interestingly, I did get an email notification that I logged in from X.Y.Z IP address, so retool thinks I am logging in.