Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

• Surface any OIDC provider errors returned via query parameters (error, error_description, error_uri) by passing them to ValidateOidcToken, skipping the backend call, and rendering the provider’s own message
  as the primary alert so users immediately see why the login stopped.
• Tidy the callback UI so provider-supplied errors fully replace the generic “problem connecting” copy, while retaining the fallback text for errors we generate ourselves.
• Wrap /api/v1/auth/idp/:id/oidc/validate-callback in targeted error handling for OAuth2RequestError, UnexpectedResponseError, UnexpectedErrorResponseBodyError, and ArcticFetchError, logging structured details
  and returning meaningful HTTP codes/messages instead of a generic 500.
• Add guardrails for missing authorization code or state so we display actionable guidance when the IdP doesn’t return the expected parameters.

How to test?

1. npm install
2. npm run set:oss && npm run set:sqlite
3. Configure config/config.yml (e.g., dashboard URL http://localhost:3002), then run npm run db:sqlite:generate and npm run db:sqlite:push.
4. Start the stack with npm run dev.
5. Configure an OIDC identity provider (tested with Auth0: authorization URL https://.auth0.com/authorize, token URL https://.auth0.com/oauth/token, redirect http://localhost:3002/auth/idp//
   oidc/callback).
6. From the dashboard login, authenticate with an account that the IdP blocks (e.g., email not verified). The callback page should display the provider’s error description verbatim, with no extra generic text,
   and the browser should remain on the callback page.
7. Authenticate with an allowed account. The standard code exchange path should complete, creating a session and redirecting to your requested resource.