Let permissions classes customise failed responses

[zacps]

Checklist

• I have verified that that issue exists against the master branch of Django REST framework.
• I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
• This is not a usage question. (Those should be directed to the discussion group instead.)
• This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)

I've been looking into adding support for django rest framework in django-oidc-provider.

The two things I'd like to implement are authentication and permissions classes for OAuth 2.0 Bearer authentication (RFC6750).

The Authentication class is straight-forward. I can simply check the token and respond with 401 if it doesn't exist or is invalid. The API also lets me set the correct WWW-Authenticate header as per RFC6750#3.

However, it's not possible to implement a permissions class to check token scopes which is compatible with RFC6750. Section 3 states (emphasis mine):

If the protected resource request does not include authentication
credentials or does not contain an access token that enables access
to the protected resource, the resource server MUST include the HTTP
"WWW-Authenticate" response header field; ...

This is because the only options for a failing permissions class are to return False and get 403, or raise a 404 exception.

I'm not sure how the api should be expanded to accommodate this, an equivalent authenticate_header method on the Permission class may be enough, or there may be a better approach.