401 for bad signature, 403 for insufficient permissions

[smcoll]

A 403 returned by this authentication scheme might indicate that the signature is invalid, or that the user doesn't have sufficient permissions.

DRF suggests raising an AuthenticationFailed for a bad signature, resulting in a 401 response (and not bothering to do the permissions check), leaving a 403 to indicate that the user was authenticated but has insufficient permissions. Further, an authenticate_header method could implement a WWW-Authenticate header in the 401 response with signature implementation instructions. i believe this potential exists in all the 3.x DRF releases.

Would that be a welcome PR? i recognize that it could break users' integration tests expecting the current "403" behavior.

[smcoll]

A workaround in the meantime is to list another authentication class which returns a 401 first in DEFAULT_AUTHENTICATION_CLASSES. (see the note in bold in the DRF docs)