Unsure how to map "UnauthorizedError" to actual route.

I am using ASP.NET Core 2.0 with JWT, and am trying to figure out how to get my users to see a page telling them to validate their email after registration.
I’ve added the custom rule, as seen below;

function (user, context, callback) {
  if (!user.email_verified) {
    return callback(new UnauthorizedError('Please verify your email before logging in.'));
  } else {
    return callback(null, user, context);
  }
}

But I don’t understand any of this. I can’t figure out what “UnauthorizedError” is supposed to be, in relation to my own site. I am having a hard time figuring out how to just get it to send them to [XYZ ROUTE] on my WebAPI to show them the actual page.

Is there any way I can accomplish this? I’ve read through the documentation ad-nauseum and It’s just not making much sense to me.

Assuming an OIDC configuration fairly similar to the ASP .NET Core 2.0 quickstart then the client application initiated an authorization code grant which if completed successfully will return a code parameter to the redirect URL so that it can be exchanged by tokens.

When you include a custom rule such as the one you showed the UnauthorizedError triggered by the rule will fail the authentication request which translation to OIDC/OAuth 2.0 terms means that the client application will now receive an error response instead of a successful authorization response containing the code parameter.

In addition, an error response according to OAuth 2.0 will contain a mandatory error parameter and optionally and error_description and error_uri. For the rule in question you will be getting error= unauthorized and error_description=Please verify your email before logging in..

If you then configure your client application to do something like:

options.Events = new OpenIdConnectEvents
{
    OnMessageReceived = context =>
    {
        if (context.ProtocolMessage.Error == "unauthorized")
        {
            context.HandleResponse();
            context.Response.Redirect("/Unauthorized");
        }

        return Task.FromResult(0);
    },
};

You can effectively redirect the end-user to custom page when an protocol message is received and containing an unauthorized error. You can further tweak the conditions; the above is just for illustration purposes.