Currently, when a user is not authenticated, it's up to one of the authentication plugin to handle the login prompt if needed. It means that it may redirect the user to a login page or present a Basic challenge.
When browsing the web application (JSF), it's not a problem because we want to offer the user a seamless experience.
When dealing with REST base applications, this is a problem since the client application is responsible of the authentication. The client app can't allow blindly a redirect onto the login page for instance. For that reaseon, the authentication filter should sometimes block the flow and return a 401 response code instead of letting the authentication plugin handle the whole flow.
At the authentication chain layer, we should be able to configure if the authentication filter delegates the login prompt to its plugins or if it returns a 401 response code. This is done by the handlePrompt parameter
When using a client REST API, the client may decide to follow the plugins prompt. Since the mecanism is pluggable, the client has no way to know which prompt it has to follow. For that we introduce a /nuxeo/login API that just continues the login flow and let plugin do their "handle login prompt" job.