What I Want from A Web Auth Solution: This is how I think a web auth solution should work. The server doesn't negotiate auth in any way; it's built-in to the protocol itself.

The user visits a site.
The site displays a logged out view.
The user decides to login to the site via *browser* UI, such as a login button in the chrome by the address bar.
The user selects a token to user for the site.
The browser refreshes the page and includes the public key as a header, for ex. `UserToken: abdce`
The server gets the token and displays a logged in view.