google: allow to specify suggested domain

[bgentry]

This pulls in thomseddon#293, whose description reads:

As per the Google OIDC docs, the hd parameter may be used to suggest the domain the user may login with:
https://developers.google.com/identity/protocols/oauth2/openid-connect#hd-param

In effect, the Google account chooser only displays accounts with that very domain, which simplifies the process for users with very long account lists.

This will let us restrict our auth wall to only show accounts from the Mux domain, simplifying the auth wall flow if anybody happens to be logged in to other Google accounts.

[bgentry]

@com6056 it doesn't seem I can request a review on this repo but this seems up your alley!

[com6056]

any chance we can just use the same domain as specified with --domain so we don't have to specify it twice? although looks like it would allow multiple domains, maybe we can just grab the first one: https://github.com/muxinc/traefik-forward-auth/blob/master/internal/config.go#L35

[bgentry]

Up to you if you want me to go down that route. I would prefer to just add the 2nd config, because these map to independent parameters in Google's OpenID Connect flow and have slightly different purposes. Also it seems unlikely we will ever need to change the domains we're authenticating against, so that config overhead is pretty low IMO.

Plus if we use a trick like "always grab the first entry from domains" then there's more potential to break this by accidentally specifying the domain list in the "wrong" order.

[com6056]

Makes sense, this approach works for me, thanks!

[bgentry]

FYI I'm not an owner here so I can't take this any further than opening the PR :)