As far as I can tell there is no way to restrict Google OAuth to a specific domain.

I'm thinking of something like https://github.com/bitly/oauth2_proxy provides through:

  -email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email

Because right now OAuth just logs in anyone and everyone.