JWT?

Perhaps we should use JWT for OpenID authentication rather than our ad-hoc system with `Authorization: SesID` and the lightly encrypted GET argument.

We also need to consider how session expiration would work with such a scheme; the 'exp' field is part of the JWT token itself, so refreshing the session would involve creating a new token, which would have to be sent to the client.
