Figure out how to support multiple OAuth client applications #249
Description
The MVC5 app provides API endpoints that are used by the Windows client, with authentication performed using OAuth. The Windows app has the OAuth app information embedded (client ID 000000004015657B), and so we can expect that older installations will want to talk to the website using logins that are secured using this app.
However, this app was created using a deprecated system and we can't administer it anymore. This is an issue because the app administration is where we configure the "redirect URLs" that we are allowed to use for web-based OAuth flows. For the web app(s), we'd like to update some of those (e.g. to switch them to HTTPS). But we can't.
We can update the web server to use a newer, administer-able OAuth client application. But if we just change the server straight over to the new app, it will reject the OAuth tokens supplied by logged-in Windows apps because they'll come from a different client app.
So if we were to really try to solve this, we'd configure the server to recognize two OAuth apps for anything that requires authentication. We'd also update the web-based flows to use the new, configurable app with the redirect URLs that we want.
At the moment this seems like it would be more effort than it's worth, but I wanted to write down the issues since I find that I always have to spend some time refreshing my memory about how all the pieces fit together here.