Not the Right Scope

My customer uses Google GSuite in his organization (a no-profit one), and wanted to use already existing accounts to login in my application. Quite easy, as Google is already implemented in Laravel Socialite.

But default configuration for Google in Socialite includes scopes for Google+ API, to access profile informations, and that's not always the case. At least, it was not the case in my situation: eventually the reference Google Apps organization had no Google+ enabled, so as login with classic @gmail.com accounts worked, the organization's accounts with custom domain failed miserably.

Solution: fix the scopes and get informations elsewhere. Replace

return Socialite::driver('google')->redirect();  

with

$scopes = [
   'https://www.googleapis.com/auth/userinfo.email',
   'https://www.googleapis.com/auth/userinfo.profile'
];
return Socialite::driver('google')->scopes($scopes)->redirect();  

and everything is OK.

I don't know if the issue is common for all Google GSuite for no-profit instances, but if you obtain the infamous invalid_grant error this is worth a try.