[auth/gcp] Adding basic google web auth flow capabilities (#231)

* initial WIP

* removing IAM verifier, cleaning up verify logic

* docs

* hooking in custom exception func

* renaming file

* removing unneeded client

* ensuring cookie is cleared

* cleaning up var declarations

* fixing the logger

* Forbids instead of redirecting

* cleaned up verify logic

* state cleanup

* simplifying logic

* avoiding a verify of an empty token

* adding some initial authenticator tests, callback still needs coverage

* adding some callback tests

* making notes in README

README.md

@@ -70,6 +70,8 @@ The `auth/gcp` package provides 2 Google Cloud Platform based `auth.PublicKeySou
 * The "Identity" key source and token source rely on GCP's [identity JWT mechanism for asserting instance identities](https://cloud.google.com/compute/docs/instances/verifying-instance-identity). This is the preferred method for asserting instance identity on GCP.
 * The "IAM" key source and token source rely on GCP's IAM services for [signing](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signJwt) and [verifying JWTs](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys/get). This method can be used outside of GCP, if needed and can provide a bridge for users transitioning from the 1st generation App Engine (where Identity tokens are not available) runtime to the 2nd.
 
+The `auth/gcp` package also includes an `Authenticator`, which encapsulates a Google Identity verifier and [`oauth2`](https://godoc.org/golang.org/x/oauth2) credentials [to manage a basic web auth flow.](https://developers.google.com/identity/sign-in/web/backend-auth#verify-the-integrity-of-the-id-token)
+
 
 #### [`config`](https://godoc.org/github.com/NYTimes/gizmo/config)