Thrown by OAuthProxy.authorize when the client-supplied redirect_uri is not
an exact match against a previously-registered redirect_uri (RFC 6749
§3.1.2.2 / §10.6) or uses a scheme that is not allowed (RFC 8252 §7.3). The
proxy fails closed: it neither mints proxy state nor forwards the request
upstream. An HTTP mount maps this to a 400 invalid_request.
Thrown by OAuthProxy.authorize when the client-supplied redirect_uri is not an exact match against a previously-registered redirect_uri (RFC 6749 §3.1.2.2 / §10.6) or uses a scheme that is not allowed (RFC 8252 §7.3). The proxy fails closed: it neither mints proxy state nor forwards the request upstream. An HTTP mount maps this to a 400 invalid_request.