we are further ahead from vision, we have an e2e example in pubky-core repo. And it is all specced out here https://pubky.github.io/pubky-core/spec/auth.html

Long story short; the web app asks the user for specific capabilities, the user approves by sending a signed token to the web app (using httprelay.io) then that web app uses this signed token to sign in to the user homeserver and get a good old session cookie with only the capabilities that the user approved