Commit e245ef48 switched dependency management from dep to go module.

This should be reflected in `CONTRIBUTING.md`.

Some code improvements

* Remove shadowing of predeclared identifier: new.
* strings.ReplaceAll instead of strings.Replace with -1.
* Change strings.ToLower comparison to strings.EqualFold.
* Rewrite if-else-if-else chain as a switch.

docker: build from debian buster

Signed-off-by: Dhi Aurrahman <dio@tetrate.io>

Fix permalinks for configuration and sessions

Escape original request URI in sample kubernetes ingress configuration

The current sample configuration for kubernetes ingress demonstrates
using the `auth-signin` annotation to redirect a user to oauth2_proxy's
signin page. It constructs the link to do so by directly concatenating
`$request_uri` as the `rd` parameter, so the sign-in page knows where to
send the user after signin is complete.

However, this does not work correctly if the original request URI
contains multiple query parameters separated by an ampersand, as that
ampersand is interpereted as separating query parameters of the
`/oauth2/start` URI. For example:

If the user requests a URL:
  https://example.com/foo?q1=v1&q2=v2
they may be redirected to the signin url
  https://example.com/oauth2/start?rd=https://example.com/foo?q1=v1&q2=v2
and after completing signin, oauth2_proxy will redirect them to
  https://example.com/foo?q1=v1

nginx-ingress added an $escaped_request_uri variable about a year ago,
to help resolve this kind of issue
(https://github.com/kubernetes/ingress-nginx/pull/2811)

More fully support X-Auth-Request-Redirect header

Add keycloak provider

Bump nokogiri from 1.10.1 to 1.10.4 in /docs

Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.10.1 to 1.10.4.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.10.1...v1.10.4)

Signed-off-by: dependabot[bot] <support@github.com>

Docs showed that the X-Auth-Request-Redirect header can specify a redirect URI, but only the rd POST parameter was being honored
This fixes that.

Update changelog for v4.0.0 release

Add a new provider for Bitbucket,
can be configured from the options
specifying team and/or repository
that the user must be part/have access
to in order to grant login.

Made setting of proxied headers deterministic based on configuration alone

alone

Previously some headers that are normally set by the proxy (and may be
replied upstream for authorization decisiions) were not being set
depending on values in the users sesssion.

This change ensure that if a given header is sometimes set, it will
always be either set or removed.

It might be worth considerating always deleting these headers if we
didn't add them.

Fix links in docs

Docs only:  format Command Line Options using a table

Fix some typos

Add OIDC support for UserInfo Endpoint Email Verification