OAuth 2: broken error handling when denying access to scopes during authorization code flow

Problem

This is easiest to see via a quick replication:

1. Set up a Google OAuth 2 issuer
2. Set up the Googledocs repository, setting the google issuer you created in step 1.
3. Go to private files and click to add a new file
4. Select the Google repository
5. Click "Log in to your account" (you'll get a popup window)
6. When/if prompted, pick the relevant google account
7. When prompted to approve scopes, click "Cancel" instead of "Approve"
   Expected: The popup closes and you're shown {}something{} meaningful
   Actual: The popup remains open, and redirect you to login, with the message "You're already signed in as user x..." etc.
   E.g.
   

This is awfully clumsy.

This seems to be directly related to MDL-71254 (certainly that issue didn't consider the 'internal services' use case at all), but has perhaps been a problem ever since the inception of the google/microsoft, etc. sso. In any case, it's a problem on admin/oauth2callback.php.

Solution

What should happen? Errors, like the error that's passed back when you deny an auth request, should be sent back to the calling code (in this case repository) when the user is an authenticated user. It's up to the calling code to handle that (and close popups, cleanup, etc). When we're not logged in, we can then safely redirect to the login page as we do now.