Comment 8 for bug 1086189

Adding some notes on what exceptions are raised for expired token and unauthorized access:

401 - unauthorized, this should mean that the user is *not* authenticated and a re-authentication should be sufficient to perform an action (revoked, expired, etc token).
403 - Forbidden, this should mean the current authorization doesn't allow the action to be performed.

In the 401 case redirecting to login should be sane (this may not actually be the case).