Hi. We are using hydra to act as an IDP. Sometimes we need to reject login requests (OIDC), but the relying party (a whitelabel solution we are using) does not seem to handle the rejection properly. – Instead of showing a message to the user they retry the request which results in an endless loop. 💥 So my idea to work around this is to reject the request in our login endpoint, but not redirect to the redirect_url of the reject response, but to show our own 403 page with some useful information instead. Do you think that makes sense or does this break the OAuth flow and would make it unusable for other relying parties?

What is the "normal" reject response? Basically a 403 page as well right? From a first glance this seems reasonable to me. I am not sure if it breaks the flow for other parties though.

My understanding that the relying party should handle a rejection. Is that right?