google service account - some users not having access even when we have permission for the whole domain

We are having domain level permissions for a customer and are using service account for getting access tokens. This is working alright for all users except one and we get access_denied error.

I am trying to access imap api.

Also, what does access_denied error mean? Is there a document that describes each oauth2 error on detail?

Solution

You can get access_denied error for a subset of users if the domain administrator turns off your app for an Organizational Unit (OU) containing the users.

See https://support.google.com/a/answer/182537?hl=en

How can I obtain an OAuth refresh token for a G Suite Add-on running on Apps Script?
Electron Google Login: "This browser or app may not be secure"
I need to add a privacy policy to my flutter web app for Google verification
Limiting the scopes of an OAuth 2.0 flow
Why do i need to specify redirect_uri if i am authenticating from server side?
New Google place api using google OAuth, ask failed to refresh token
Access token obtained with 'auth-code' login flow with 'drive.file' scope, later used for picking file and on the server returns "entity not found"
passportjs + googleoauth20 + express-session (valkey store optional) req.user undefined
PHPMailer getOAuth2token response to div
Google AdWords API authorization raising AdsCommon::Errors::AuthError
Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
Cross-client Google OAuth: Get auth code on iOS and access token on server
Google Authenticator available as a public service?
Google OAuth components must be used within GoogleOAuthProvider
Access google cloud storage bucket from other project using python
Django Google log-in/sign up not working even though django-oauth
How to obtain android app version code using Google Api?
Problems with ShinyApp and Google authentification, when making Public
testing google sheet editor addon fails with error 403
Google API Invalid JWT Signature in SFCC
Google Classroom iframe, compare login_hint with signed in user
Origin is "not allowed" for given client ID when origin was added
Issue when trying to register an app for consent screen in google oauth
Correct setup for accessing a GSheet published as a webapp via a service account
How to set up Google OAuth clients to split authorization and token exchange between client and server?
Get 403 response with the "new" Firebase Cloud Messaging API
Google OAuth 2.0 Flow Issue (Implicit)
Unable to fetch access token and refresh token from google OAuth2.0 using the authorized code
How should I use the id token returned to me by Google after a successful code exchange?
Google Cloud Platform adding OAuth Client ID says Requested entity already exists