Hi Arnaud,
At the time of the DM permission change, we actually added force_login support to the /authorize flow as well, so you can just swap to using /authorize for the behaviour support you want.
The remaining difference between /authenticate and /authorize is that sans-force_login, /authenticate allows you to auto-redirect a user who has already authed your app, whereas /authorize requires user interaction (as per the standard OAuth design, whereas /authenticate deviates from it.)
FWIW, whilst only /authorize can be used to initially grant a DM-capable access token, you can use /authorize for the first time a user auths, and then use /authenticate on subsequent auths to auto-redirect if that’s what you want: A token that already exists with DM permissions will not be altered by /authenticate.
