1. 401 is the correct status code not 403

401 Unauthorized (RFC 7235) https://tools.ietf.org/html/rfc7235#section-3.1

The 401 (Unauthorized) status code indicates that the request has not
been applied because it lacks valid authentication credentials for
the target resource. The server generating a 401 response MUST send
a WWW-Authenticate header field (Section 4.1) containing at least one
challenge applicable to the target resource.

If the request included authentication credentials, then the 401
response indicates that authorization has been refused for those
credentials. The user agent MAY repeat the request with a new or
replaced Authorization header field (Section 4.2). If the 401
response contains the same challenge as the prior response, and the
user agent has already attempted authentication at least once, then
the user agent SHOULD present the enclosed representation to the
user, since it usually contains relevant diagnostic information.

2. Where are we actually using the code?
   New reference is

   joomla-cms/libraries/src/Application/CMSApplication.php

   Line 892 in 7ab744f

   // Return the error.

@wilsonge close this Issue?

I don't have the time to properly work my way through this right now - so not right now please. Assuming Brian is right about the 401 then this requires changes and so is an open issue (because iirc at the moment everything gives 200's)

"assuming brian is right"? I just quote the internet standards

I'm not convinced 401 is correct. What would you pass as WWW-Authenticate header then?
Stackoverflow often says 400 or 403. Or just 200 like we do currently because because from a protocol/server view the request still was successful.

I would rather follow the official standards than a comment on stack overflow ;)

The status code is built for the HTTP authentication methods (basic, digest, ...) and thus the official standard mandates that you MUST send a WWW-Authenticate header in the response so the browser knows what to do.
It's not a real fit for CMS authentications as we don't do it on a protocol level.

Reading this again I agree with @Bakual (I think)

What do other web based apps do?

So I just spent some time looking to see what others do. I can see that w and d have regularly had this same discussion over the years. Someone who did even more research on this @johnbillion and say that 200 is correct - so no change https://core.trac.wordpress.org/ticket/25446#comment:29

Base on research from @brianteeman, return 200 for http code is OK (see comment above), so I'm closing this issue. Feel free to re-open if needed.