When a user is met with a hard 403 it adds confusion
to the user experience. Allow the login app to handle
this condition in a way that makes sense for the
business. Instead of a hard 403 we pass along a header
that lets the app decide if it wants to 403 or re-login
the user. We still do not allow the user to access
the page by setting the token to nil