CSRF protection for OAuth flow.

[jehiah]

This implements CSRF protection for the initiation and termination of the OAuth flow. (thanks @arnottcr and @TheRook for the contribution).

Fixes #336, #321

[colemickens]

@jehiah / @arnottcr Can you help me understand specifically why this PR was submitted?

I'm using oauth2 proxy at https://auth.mydomain.tld to protect a resource https://super-secret.mydomain.tld.

RE: this specific function: 55085d9#diff-6fd8df33d9f8086bc31e28c375fbc0abL387

AFAICT, this code means that hitting https://auth.mydomain.tld/oauth2/start?rd=https://super-secret.mydomain.tld will never work, because the redirect is always reset to /.

Does it ever make sense to relax this?

[colemickens]

I may not have linked the exact right location in code, there are a couple functions that "filter" the redirect down to '/'.

It seems like this was done for security reasons. Would it be sufficient to accept a list of domains to respect? (For example, I am already having oauth2proxy set the cookie domain to mydomain.tld, can I also have a --redirect-whitelist=mydomain.tld or some such?