Last tested: Sep 26, 2019
This generally occurs when the user's email domain (eg @looker.com) hasn't been added to the 'Authorized Domain' list on the OAuth side.
This can also occur if the user's domain has not been verified on the GSuite / Oauth side.
Note that even if the user's email address ends in the correct domain (eg @looker.com), that does not necessarily mean that it is registered with GSuite under the looker.com domain. The user must be registered with the correct GSuite account for that domain in order for the "hd" field to be passed in the Decoded ID Token that Looker receives from OAuth, which is the parameter used to match the user's domain against the Authorized Domain list on the OAuth side.
If the “hd” field in the JSON response of the Google Oauth test is empty, then make sure that the user has a managed account.