Issue #2817745 by Wim Leers: Add test coverage to prove that REST resource's "auth" configuration is also not allowing global authentication providers like "cookie" when not listed

Issue #2808233 by gnuget, dawehner, Wim Leers, tedbow, Chi, dysrama: REST 403 responses don't tell the user *why* access is not granted: requires deep Drupal understanding to figure out