Replace CookieCrumbler's cookie with OAuth2 tokens:
- add the notion of authenticated sessions: period from a login action to
  either a logout or the expiration of tokens
- avoids session fixation (knowing one token does not grant near-permanent
  access to the session)
- reduces the per-request cost of authentication (removes the need to
  compute user's groups, and the need to cache these groups for a fixed
  period).