This is actually considered expected behavior in this scenario, and while this looks like providing a bit more information in case of a failed attempt to authenticate an user, it follows the standards of the OAuth 2.0, which implies redirecting back to your application with specific error and error_description query parameters.
However though, in Auth0 you can customize the error description received by your application using a Post-Login Action. You can modify the reason from the api.access.deny(reason) object since the post-login - API Object described the reason parameter as:
String. A human-readable explanation for rejecting the login. This is sent as error_description to the application that initiated the request.