The README file contains this sample code block:

 /**
   * If authorization failed (usually incorrect password) redirect the user as follows:
   */
  override def authorizationFailed(request: RequestHeader, user: User, authority: Option[Authority])(implicit context: ExecutionContext): Future[Result] = {
    Future.successful(Forbidden("no permission"))
  }

Doesn't an authorization failure mean that the user authenticated correctly, but simply lacks the required Authority? That's what the method body implies with its Forbidden response, but it's not what the ScalaDoc comment says when it talks about an "incorrect password". This seems very confusing for people trying to adopt this framework.