Prior to Google's restructuring of Cloud API access, I had a gmail account that had access to a bunch of Google Analytics accounts, through which I established API access via OAuth credentials for a large number of sites. They changed their policies and began requiring domains to be verified before they could access credentials. This was the case for "public" applications, but if you switched it to "private" the domain verification no longer mattered. I had to do this because making the project public was a violation of the TOS. However, this coincided with the introduction of GCP's IAM permissions setup that forced me to create an "organization" and a "project" - and also forced me to create a Google Cloud Identity.
The stipulation of a private project was that you can only grant access to accounts under your organization. I added my gmail account to the organization and gave it administrative permissions.
So, I'm here: I set up new OAuth credentials for a new site, then try to access the API through those credentials. During the initial authorization screen, it asks me to select the appropriate Google account, and then is SUPPOSED to ask me to allow access. Instead, I get this error:
Authorization Error
Error 403: org_internal
This client is restricted to users within its organization.
BUT, the account I selected has been established as an administrator of the organization under which the API project resides! I have tried a billion different things, and the only way I seem to be able to grant access to ANYTHING is if I create the credentials under a different project and the log in with the GCI account. HOWEVER, that's not the account that has access to the Google Analytics, so it doesn't help me one bit.
To top it all off, Google has absolutely no support for this. They send me here, to Stack Overflow, to get support. Can anyone help?
Linking an external email address does NOT make that identity part of the organization. Create a new identity based inside the organization. If your organization is example.com, create an identity such as john@example.com and use that identity. Your other option is to remove the restriction.