OAuth Error: User not in the authorized domain(s)

Knowledge Drop

Last tested: Sep 26, 2019
 

This generally occurs when the user's email domain (eg @looker.com) hasn't been added to the 'Authorized Domain' list on the OAuth side.

This can also occur if the user's domain has not been verified on the GSuite / Oauth side.

Note that even if the user's email address ends in the correct domain (eg @looker.com), that does not necessarily mean that it is registered with GSuite under the looker.com domain. The user must be registered with the correct GSuite account for that domain in order for the "hd" field to be passed in the Decoded ID Token that Looker receives from OAuth, which is the parameter used to match the user's domain against the Authorized Domain list on the OAuth side.

Screen Shot 2019-09-26 at 3.55.17 PM.png

This content is subject to limited support.                

Comments
sam8
Staff

If the “hd” field in the JSON response of the Google Oauth test is empty, then make sure that the user has a managed account.

Version history
Last update:
‎07-07-2021 01:15 PM
Updated by: