Trying to cancel a sign by appending 'error' to oauth2/authresp returns 'invalid response'
We are trying to get an OIDC provider to return an 'access denied' error back to an Azure AD B2C user flow when the user cancels / fails the sign in.
The Azure AD B2C documentation states that we should be able to send an error back to AADB2C during the authentication flow using the https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/authresp?error={error_code}&state={state sent in the original auth request}
format.
In calling back to oauth2/authresp endpoint with an access_denied
error code, AADB2C seems to choke and redirect back to the original client we're trying to sign into with the error:
AADB2C90273: An invalid response was received : 'Error: access_denied' Correlation ID: 3529ded9-1045-423b-9f0b-293b6ecf3b38 Timestamp: 2024-06-25 13:38:15Z
How should sign in fails from OIDC providers be returned to AADB2C to state the provider doesn't accept the sign in?
The documentation implies an error can be sent with a fragment: https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect, where as the OIDC standards imply returning errors with query parameters. Both don't seem to work when talking to /oauth2/authresp.