I have a private website used as an intranet site for workers from around the world who have accounts with my Google Apps domain (example.com). They currently use OpenId to log in to various collaborative tools, so I want to use this for my site too.

1. I want to protect the static content on my private members-only website with OpenID login (rather than, say, basic HTTP auth), which Google Apps provides.

2. I know that anyone can be an OpenID provider, so I want to restrict it to one domain name, specifically my Google Apps domain.

At the moment my static content is served via Nginx. I would prefer a simple Nginx module that would handle this with only a bit of setup.

If I have to get my hands dirty, I don't mind setting up a basic Python (say Django) or Java server to handle this, but I don't want to use PHP or Ruby.

Depending on the volume of content, why not put it up on the Google App Engine?

There are restrictions on the amount of stuff you can put up statically (you can serve from DB though), and the number of changes per day.

If your content is small enough and doesn't change too frequently (100 times a day I believe is the max) this might address your authentication problems and simplify your life a fair bit!

For lighttpd, there is https://lighttpd-external-auth.chmd.fr.

I believe it could be ported for the nginx lua scripting interface without major difficulties.

If you want to use Google as IDP with open ID connect you can follow Google guidelines for the same here. I am using NGINX Plus with Auth0 as IDP but that needs a paid NGINX subscription, see details here. If you want to use this with Open Source version you can check this.

I have not used this open-source version so will advise you to check for all security concerns before using it.