proposal for reissue callback and 3rd party token generation

[tripsolutions]

This covers issue #54 but also the ability to plumb the cookie authentication on top of a 3rd party token generation API. It's a significant API change so I'm looking for feedback on how to make this less invasive.

The documentation changes explain this PR in some detail.