OIDC callback server doesn't display errors query params

[tgross]

While working on testing #19318, I discovered that at least one OIDC provider (MSFT ADFS) returns errors in a error query parameter of the callback URL. This results in a URL like the following:

http://localhost:4649/oidc/callback?error=invalid_resource&error_description=MSIS9602%3a+The+received+%27resource%27+parameter+is+invalid.+The+authorization+server+can+not+find+a+registered+resource+with+the+specified+identifier.&state=st_h3QSSe5YSaai7JZydqqk&client-request-id=6497f86e-a844-4304-4300-0080030000f0

The embedded page doesn't display this to the user in any obvious way, so we end up getting a "success" login page and then the subsequent request to complete the workflow gets an error like:

2024-01-08T14:45:00.649-0500 [DEBUG] http: request failed: method=PUT path=/v1/acl/oidc/complete-auth

error=
| RPC Error:: 400,invalid OIDC complete-auth request: 1 error occurred:
| \t* missing code
|
code=400

[jrasell]

I took a quick look at this and it looks like we need to check for an error query parameter in the ServerHTTP function and then optionally see if error_description description is included. If this is present, we could write an error response and display an error page with the detail found.

okta OIDC response object docs: https://developer.okta.com/docs/reference/api/oidc/#response-properties

[tgross]

Yeah I think we'll probably need to send on the ErrorChannel as well so the CLI picks that up as an error rather than success.