Getting FIDO2 error when attempting a Google oAuth resource connection

Goal: Connect to the Google Admin SDK API

I followed the steps in Retool Docs

Details: When logging in either with the "share credentials between users" option enabled or not (from the resource settings or the frontend of the app) the flow ends with an error.

  1. Log in from the app:
  2. Click Authenticate
  3. Every time, reach this page: https://oauth.retool.com/oauth/redirectToIdp
{"success":true,"message":"FIDO2 Not Setup"}

What could be causing this error? I never even get to a Google page, so it doesn't seem to be account specific. It seems to be on Retool's side.

The error stops when all FIDO2 methods are removed from the account (which, obviously, isn’t a viable solution). After removing FIDO2, it revealed some configuration errors that, as discussed with the team, seem to stem from unclear instructions in the docs (I'll add a request below to look at the docs).

After correcting the configuration issues, Google OAuth login works successfully. However, when FIDO2 is added back to the Retool account—which is a requirement for us—the original issue reappears.


Specifically, I’d like to request that the documentation clarify that BASE_URL should not be your application URL if you’re using the cloud option. Instead, when using the cloud option, it should be oauth.retool.com.

Welcome to the community forum, @explore! Thanks for bringing this up.

I've spent some time testing and can confirm that enabling FIDO2 breaks the OAuth2 authorization flow on Cloud, specifically. It's worth noting that OTP still works, at least. :sweat_smile:

The root of the issue seems to be that the FIDO2 key is generated on a different domain than the one on which we're doing the authorization. The user is trusted for the initial authorization step but that trust doesn't persist through to the /oauth/redirectToIdp page. This is definitely behavior that is unique to the Cloud platform, for that reason. The same authorization flow in an OnPrem instance works just fine.

I've talked to our dev team and reported the issue, so we should hopefully have this functioning relatively quickly! I'll provide updates here as soon as possible.

I'll also talk to the docs team about adding differentiated instructions to that page in order to better support Cloud users. :+1:

The same issue for our company. Please keep us updated ASAP on this issue. It breaks our security policies.

1 Like

Hear you loud and clear, @Denis_MLoan! Welcome to the community forum. :slight_smile:

Update - a fix for this issue came out with version 3.82 and should be live now!

Hi @Darren, thanks for the update. I can confirm it seems to work for me now, authorizing with a FIDO key enabled on my Retool account. I appreciate the quick turnaround once you were aware of the issue.

1 Like

Thanks! Your fix works for us!

1 Like