How to handle non-login error from generic Oauth2 provider?

I’m trying to incorporate authentication for my users to a generic OAuth2 provider (really a tenant-specific instance of Salesforce auth) and I’m running into a wrinkle I can’t figure out. We’re using the classic experience still.

  1. Provider has a marketplace and handles billing, access control, etc.
  2. We have our own existing login and are looking to incorporate this oauth2 in parallel
  3. User visits our site, clicks login, and classic experience loads the hosted login.
  4. When a provider user hits the "Login with… " button, everything works if access is enabled (user set up billing, etc)
  5. When a provider user tries to login without marketplace access, provider returns the below error as a 200 response in the callback.

https://MYDOMAIN.auth0.com/login/callback?error=OAUTH_APP_ACCESS_DENIED&error_description=user+is+not+admin+approved+to+access+this+app&state=blahblah

{
  "error": "access_denied",
  "error_description": "user is not admin approved to access this app"
}

What happens in the access_denied scenario is they authenticate successfully with the generic oauth2 provider, the provider callback hits my auth0 callback, the classic experience closes - and the person is stuck looking at our landing page with no indication of why login failed. So they try again and get the same result.

When I expect to happen is that I can display something to the user for feedback. However, I don’t see where/how I can catch the access_denied error in the callback -> callback -> close classic experience handling. Hooks, rules, actions, etc. aren’t useful because they happen downstream of all this process.

I’m using a stock fetchUserProfileScript that is working fine, but even that only gets called if the generic oauth2 provider call follows the happy path.

How do you handle this??