Remove AuthMethod and add access token to RestApi

Authentication for API calls will be handled using an access token
in the "Authorization: OAuth access_token" style. Browsers do not
use this when making requests unless they use an XmlHttpRequest.
If the value used as the access_token is not available cross-site
then the API call cannot be made by hijacking attempts.

Change-Id: I33654bcaa247cb95a57b03d2df112ca95e970185

gerrit-openid/src/main/java/com/google/gerrit/httpd/auth/openid/OpenIdServiceImpl.java

@@ -26,7 +26,6 @@ import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.UrlEncoded;
 import com.google.gerrit.server.account.AccountException;
 import com.google.gerrit.server.account.AccountManager;
-import com.google.gerrit.server.account.AuthMethod;
 import com.google.gerrit.server.config.AuthConfig;
 import com.google.gerrit.server.config.CanonicalWebUrl;
 import com.google.gerrit.server.config.ConfigUtil;
@@ -417,7 +416,7 @@ class OpenIdServiceImpl implements OpenIdService {
             lastId.setMaxAge(0);
           }
           rsp.addCookie(lastId);
-          webSession.get().login(arsp, AuthMethod.COOKIE, remember);
+          webSession.get().login(arsp, remember);
           if (arsp.isNew() && claimedIdentifier != null) {
             final com.google.gerrit.server.account.AuthRequest linkReq =
                 new com.google.gerrit.server.account.AuthRequest(
@@ -431,7 +430,7 @@ class OpenIdServiceImpl implements OpenIdService {
 
         case LINK_IDENTIY: {
           arsp = accountManager.link(identifiedUser.get().getAccountId(), areq);
-          webSession.get().login(arsp, AuthMethod.COOKIE, remember);
+          webSession.get().login(arsp, remember);
           callback(false, req, rsp);
           break;
         }