Comment 2 for bug 615342

On the server side, what we're agreeing on is a view that receives a standard OAuth authorization header, and logs the user in (ie returns a session cookie).

Once you can handle arbitrary request headers via libsoup using Python-bound Gtk-embeded webkit, we'll be able to sort it out.

The alternative of accepting the token via a GET argument was discarded.

That way the desktop client can:
 - Prompt the user with a desktop login
 - Get a token they can use for other purposes, or
 - Feed it into the desktop browser, so that the browser will skip web authentication.