When an Application Load Balancer (ALB) is configured to authenticate users against an OIDC IdP provider, there are a variety of circumstances where the IdP may deny access, thereby redirecting the user back to the ALB with the "error" and "error_description" query parameters, as per the OAuth2 spec. (One such example is if the user is denied access from the context of an Auth0 post-login action.)
In these scenarios, it appears that the ALB will simply automatically render a blank "401 Authorization Required" page, rather than displaying the error details, or providing the ALB target an opportunity to respond to the error in a user/client-friendly manner. I've reviewed (and even commented) on the troubleshooting article, but I've not found any solution so far.
Is there any configuration or other possibility for handling this case in a user-friendly manner? At the very least, the page the error sees should provide an option for retrying the authentication process.
I have considered using CloudFront in front of the ALB to intercept the error response, but it seems that 401 is not in the list of status codes that can be configured to have a custom error response.