A generic OAuth 2.0 for the web application flow, tested against
microsoft and google apis.
Added a callback endpoint for requests so that clients can use a single
endpoint (without GET params). I put this in /admin/ as I expect some
sites will have .htaccess denying access to /lib/.