Authorization code flow fails redirection in case of failing SAML identity brokering or user cancelation

Hi there,

I am stuck in an authorization flow I am implementing with KeyCloak 6.0.1.

I have a OAuth client requesting an authorization code using the standard “auth?response_type=code” approach.

The user can select an custom identity provider, which sends out an SAML request and receives back an SAML reponse after which a consent is asked and finally the authorization code is returned.

Redirection to the client is successfull in the happy flow, also for a denied consent, but if the SAML response contains an AuthnFailed status then the user is always routed back to the KeyCloak loginpage
with a optional error message instead of redirected to the OAuth client with an failure response.

Is this indeed the expected error handling flow for an authorization code request and if so how can I change this behaviour. Preferred is a configuration change over overriding a provider implementation (like org.keycloak.broker.saml.SAMLEndpoint.Binding#handleLoginResponse)

Btw I also noticed that the cancel flow is not implemented for SAML IdP.

Hopefully someone can point me in some direction.