This PR adds a new opt-in setting, CODER_OIDC_REDIRECT_ALLOWED_HOSTS, that lets a single Coder deployment complete OIDC login on more than one hostname. When the allowlist is non-empty, Coder picks the OIDC redirect_uri based on the incoming request's Host header (validated against the list) instead of always using the static URL derived from CODER_ACCESS_URL. When unset, the (default) behavior is identical to today.

The motivation is that a single Coder deployment is frequently reachable via multiple hostnames - for example, an internal hostname for users on a corporate VPN and a different hostname routed through a zero-trust gateway for users off-VPN - but OIDC login today only works on whichever single hostname CODER_ACCESS_URL points to, because the redirect_uri sent to the IdP is fixed at server startup. Users who reach the deployment on any other valid hostname can see the login page but fail the OIDC callback, since the IdP redirects them back to a hostname they can't reach (or whose cookies they don't have).