If a user picks the wrong Google account or just doesn't have access, they'll get a "Not Authorized" 401. How do they reattempt authorization at that point?
I tried manually deleting the _forward_auth cookie both from example.com and oauth.example.com (I am using an AUTH_HOST as I have lots of subdomains) and that didn't work. Where else does this cookie persist? Can I somehow provide a "try again" button?