use the Get Members Google Directory API call instead of hasMembers, which has this bug.
remove the constraint, that the user in the group must be a member of the HOST_DOMAIN. The assumpion is, when using a group for authorization, non-members of the host domain are permitted.
This resolves https://github.com/Widen/cloudfront-auth/issues/52 by making the following two changes: