We are using Play 2 authenticate plugin for a REST API and I would like to simply return 200 or 403 for login attempts.

The plugin's code looks like this:

public static Result loginAndRedirect(final Context context,
        final AuthUser loginUser) {
    storeUser(context.session(), loginUser);
    return Controller.redirect(getJumpUrl(context));
}

Is there any way to avoid the redirect without forking the plugin project?

I ended up handling this at the controller:

public static Result login() {   
    Result r = MyUsernamePasswordAuthProvider.handleLogin(ctx());
    if (r instanceof Redirect && PlayAuthenticate.getUser(session()) != null) {
        return ok();
    }
    return forbidden();
}

There might be better ways to do this though.

I just stumbled in the same scenario, and as nico_ekito pointed out, this can be achieved by extending PlayAuthenticate.Resolver and overriding:

@Override
    public Call afterAuth() {
        return routes.Application.restAfterAuth();
    }

So you can return any route of your app.