Worked out the following plan with Dave:

Backend Phase 1 (backward compatible):

• Add new explicit /create-guest endpoint which returns JSON; checkloginfilter will skip this path
• /login will conditionally return redirect response OR JSON if Accept header has json

Client worK:

• On new page load, look for bearer token on local storage; if not present, call /create-guest and save token
• New client route: /app/complete-login?auth-code=123&others
  • Will be specified in /oauth/authorize?redirectUri=/app/complete-login&state=blah
  • Will call /login with oauth query parameters, JSON Accept header, and existing guest token in Authorize header, then save token and redirect to URL
• Any service returning 401 when token sent = remove local storage token and reload the page

Backend Phase 2 (breaking changes):

• Checkloginfilter no longer returns guests; always 401s like services
• Add more routes or new mechanism to let services declare whether they need a user (will let client call e.g. /, /ontology, /record-types before /create-guest returns