Validate an OpenID for a TrustRoot and redirect the browser back
to the ReturnTo argument. There are many possible scenarios
here:
- Check some cookie and if present, grant immediately
- Use a 401 challenge page
- Present a normal grant/password page
- As (3), but use HTTPS for the exchange
- etc.
First thing to check is the immediate acknowledgement.