oauth: What format is `allowed_domains` in?

[aragilar]

It could be bare domains, include ports or subpaths, or something else?

See #22 for context.

[mbtaylor]

One possibility would be an origin (or list of origins), as defined by RFC6454. Origin is a triple of scheme, hostname and port, and has the benefit that it's been thought through from a security perspective. But it's no good as it stands if we want to restrict on subpath as well.