Changes

The idea is to We standardize a point of authentication, <tt>/auth</tt>, which exchanges an assertion for an OAuth token and secret, valid for some session duration (30 minutes?). Then, subsequent API calls are made with an OAuth signature header using that token and secret. This is in so-called 2-legged OAuth mode.Thus, apart from the new API call to <tt>/auth</tt>, a REST API does not need to change. Only its authorization header is affected. Other potential approaches:* use the assertion as a proper assertion on the first call, then as a cookie on subsequent calls, valid for 30 minutes. This is not as secure, since API calls aren't signed, but it is easier to implement.* don't standardize the exact approach. Let some