diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index f7ecfb68847..82dc3dc2e13 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -1165,8 +1165,8 @@ en:
     enable_google_oauth2_logins: "Enable Google Oauth2 authentication. This is the method of authentication that Google currently supports. Requires key and secret."
     google_oauth2_client_id: "Client ID of your Google application."
     google_oauth2_client_secret: "Client secret of your Google application."
-    google_oauth2_prompt: "[Type of prompt](https://developers.google.com/identity/protocols/OpenIDConnect#prompt) that the authorization server will show to the user. "
-    google_oauth2_hd: "[Google Apps Hosted domain](https://developers.google.com/identity/protocols/OpenIDConnect#hd-param) that the sign-in will be limited to"
+    google_oauth2_prompt: "A space-delimited list of string values that specifies whether the authorization server prompts the user for reauthentication and consent. See https://developers.google.com/identity/protocols/OpenIDConnect#prompt for the possible values."
+    google_oauth2_hd: "Google Apps Hosted domain that the sign-in will be limited to. See https://developers.google.com/identity/protocols/OpenIDConnect#hd-param for more details."
 
     enable_twitter_logins: "Enable Twitter authentication, requires twitter_consumer_key and twitter_consumer_secret"
     twitter_consumer_key: "Consumer key for Twitter authentication, registered at https://apps.twitter.com/"
diff --git a/config/site_settings.yml b/config/site_settings.yml
index c692b9887d3..dc15dc66cd3 100644
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@@ -255,6 +255,15 @@ login:
     default: false
   google_oauth2_client_id: ''
   google_oauth2_client_secret: ''
+  google_oauth2_prompt:
+    default: ''
+    type: list
+    choices:
+      - 'none'
+      - 'consent'
+      - 'select_account'
+  google_oauth2_hd:
+    default: ''
   enable_yahoo_logins:
     client: true
     default: false
diff --git a/lib/auth/google_oauth2_authenticator.rb b/lib/auth/google_oauth2_authenticator.rb
index dcee38d217f..a2804081935 100644
--- a/lib/auth/google_oauth2_authenticator.rb
+++ b/lib/auth/google_oauth2_authenticator.rb
@@ -51,15 +51,25 @@ class Auth::GoogleOAuth2Authenticator < Auth::Authenticator
   end
 
   def register_middleware(omniauth)
+    options = {
+      setup: lambda { |env|
+        strategy = env["omniauth.strategy"]
+         strategy.options[:client_id] = SiteSetting.google_oauth2_client_id
+         strategy.options[:client_secret] = SiteSetting.google_oauth2_client_secret
+      },
+      skip_jwt: true
+    }
+
+    if (google_oauth2_prompt = SiteSetting.google_oauth2_prompt).present?
+      options[:prompt] = google_oauth2_prompt.gsub("|", " ")
+    end
+
+    google_oauth2_hd = SiteSetting.google_oauth2_hd
+    options[:hd] = google_oauth2_hd if google_oauth2_hd.present?
+
     # jwt encoding is causing auth to fail in quite a few conditions
     # skipping
-    omniauth.provider :google_oauth2,
-           setup: lambda { |env|
-             strategy = env["omniauth.strategy"]
-              strategy.options[:client_id] = SiteSetting.google_oauth2_client_id
-              strategy.options[:client_secret] = SiteSetting.google_oauth2_client_secret
-           },
-           skip_jwt: true
+    omniauth.provider :google_oauth2, options
   end
 
   protected