Improve handling of 401 responses

[legrego]

When we detect a 401 response in an AJAX request, the security plugin assumes that the current user's session has timed out, and redirects the user back to the login page with a message indicating just that.

There are other reasons for a 401 response besides session timeouts. We should investigate a better mechanism for detecting actual session timeouts vs other reasons for 401 responses, and adjust the UX accordingly.

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[jportner]

Current scenarios we can get unanticipated 401 errors:

• Server side token expiration bug (Handle access tokens that expire after authentication stage #104893)
• Multiple Kibanas connected to the same ES cluster
  • without sharing an encryption key (the cookie is dropped by Core before authentication pipeline)
  • with a different auth config

We should detect specific situations where able, and otherwise show a different error message that doesn't imply the user's session timed out.

Note: split into separate issues Edit: done in #111551

[legrego]

We've addressed a majority of our 401 shortcomings recently:

• Better message for unanticipated authorisation errors #113460
• Handle access tokens that expire after authentication stage. #122155

The remaining items here focus on configuration mismatches across multiple Kibana instances. We have other issues tracking this broader work, so I'll close this in favor of those:

• Detect and prevent the use of mismatched encryption keys #92654
• Update docs for load balancing - auth providers must be in sync #113928