Complement AuthToken with unlinked access tokens

[jace]

The AuthToken model allows a client app to gain access to a user's resources. However, there is also a use case for an access token that is not linked to an app. For example, the user may want an iCal/vCal feed of their subscribed events. This feed must be a URL that can be added to their calendar app. Since the calendar can't perform a web login or OAuth dance, the URL must have an access token in-built.

The existing AuthToken model can be reused by making auth_client_id optional. However, access tokens have a distinct UX. The token by itself is useless to the user. Tokens should be presented as part of a full URL with an explanation, so this requires a UI widget based on each of the resources in the scope. For example, a theoretical access token that grants a "my_calendar" resource will need an info box explaining how the URL is to be used.

We may therefore need single-scope access tokens, and possibly a separate model to reflect this approach.

The use case for a generic access token for all personal resources is a little poorly defined at the moment.