Document that the Google OpenID auth backend matches users by their (mutable) email

[potiuk]

The Google OpenID API auth backend (airflow.providers.google.common.auth_backend.google_openid) authenticates a request by matching the verified email claim of the Google ID token against an existing Airflow user, and does not consult the immutable sub claim. Because email addresses are mutable (corporate reassignment, domain recycling), this documents that the email-to-user mapping is part of the deployment's identity lifecycle:

• deprovision (or re-map) the Airflow user whenever its email is reassigned, and
• don't recycle an address to a different identity while an Airflow account is still mapped to it;
• restricting google_oauth2_audience to your own deployment keeps tokens minted for unrelated audiences out of scope.

Docs-only change to the existing google-openid.rst (this backend is an Airflow 2.x mechanism).

Was generative AI tooling used to co-author this PR?

• Yes — Claude Opus 4.8 (1M context)

Generated-by: Claude Opus 4.8 (1M context) following the guidelines at
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions