Just to make sure I'm not missing something:
In my proposed scheme, the only interaction normal pages should have with the Authentication API would be "auth::require_login", "ad_conn user_id", and perhaps "ad_conn untrusted_user_id".
You say subtle differences ... I just want to make sure that we're on the same page here: If we implemented "auth::require_login" with a service contract, and thus let you plug in a different implementation, our two designs would be completely equivalent in what they could accomplish, no?
If not, I'm missing something. Please help me :)