Currently the cancel button always redirects to the redirect_uri with error=access_denied.
This is fine if the application wants to handle the rejected login. However, it does
require the application to add logic/error handling to display a suitable error message to
the user instead of just a generic 400 error page.
I propose we add a configuration option to clients for how the cancel button is handled.
Options would be:
* None - don't display cancel button, this is useful when login is mandatory (for
example our admin console)
* Error redirect - redirect to redirect_uri with error=access_denied
* Return to app - redirect to base_url of client (if this is set base_url would be
required)