Yes. From this discussion, upon authentication the API would throw a PasswordChangeException and the REST API would reflect this by returning a 302 Temporary Redirect to /session with something like a “Password must be changed” error message and, presumably, a header or some other programmatically explicit indication that the password must be changed (e.g., a Password-Change-Exception header set to true).