OIDC callback returns 401 to browser when identity state is inactive

[timblackwell]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [X] I have joined the Ory Community Slack.
• [X] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

When there is an error, the callback should redirect to the configured Error UI URL with a flow parameter set. This enables our UI to render the error message as desiered.

I don't want to leave the customer on Ory Network Project with JSON error in body, even if the identity is inactive.

Reproducing the bug

1. Configure Ory Project to use Custom UI, including the Error UI URL.
2. Register identity using OIDC provider.
3. Set identity status to inactive.
4. Attempt to login again, using browser based OIDC code flow.

Relevant log output

No response

Relevant configuration

No response

Version

Ory Network

On which operating system are you observing this issue?

Ory Network

In which environment are you deploying?

Ory Network

Additional Context

The redirect from Google back to Ory Network: https://ory-network-project/self-service/methods/oidc/callback/google?state=redacted&code=redacted&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid&authuser=0&hd=redacted&prompt=none

The response from Ory Network:

{
  "error": {
    "code": 401,
    "status": "Unauthorized",
    "request": "6d05d366-57ba-9f83-8c08-065582fa0953",
    "reason": "This account was disabled.",
    "details": { "identity_id": "redacted" },
    "message": "identity is disabled"
  }
}

[jonas-jonas]

Additional context:

Use API flows, to implement the above. See the JSON error returned on the OIDC callback (this should be a redirect to the error UI instead, even for API flows).