SSO with traefik forward auth with Google Oauth2

Traefik Forward Auth is incredibly useful to secure services with an additional layer of authentication, provided by an OIDC-compatible provider. The simplest possible provider is a self-hosted instance of Dex, configured with a static username and password. This is not much use if you want to provide "normies" access to your services though - a better solution would be to validate their credentials against an existing trusted public source.

This is a companion discussion topic for the original entry at

When utilizing “WHITELIST” the comma separated value list cannot have spaces. Took me awhile to figure out why “[email protected]” wouldn’t authorize and realized I had " [email protected]" (notice the leading space).