Now that ovirt sso[1] is in place we can integrate the api to use the OAuth2 authentication instead of using the non standard restapi session management, we may even remove this mechanism if not actually required. The /sso/oauth/token[-http-auth] with grant type [urn:ovirt:params:oauth:grant-type:http] entry points are probably what should be used for user/password authentication or spnego. Once obtained authorization header of Bearer TOKEN should be used to access restapi. We will probably require some modification to session timeouts as an extension to OAuth2, let's see what missing. [1] http://www.ovirt.org/images/4/4c/OVirt_SSO_Specification.pdf
*** Bug 1308458 has been marked as a duplicate of this bug. ***