If you have various oauth services set up, and people have left a window open for too long and then click on the link to login then they get an ugly 404 error like this:

This also appears in the error logs and we have sites with millions of these errors a month when nothing is actually wrong.

The url looks like this:

https://example.org/auth/oauth2/login.php?id=10&wantsurl=https%3A%2F%2Fexampleorg%2F&sesskey=brokensesskey

We cannot simply redirect to the place as this would bypass the CSRF protections. But the user has done nothing wrong and we should not treat this as an error, nor prompt them to go back and reload and try again.

The problem is compounded when the user see the error, skim reads is (or not) and see's the word 'reload', reloads, and then gets the same error again.

Instead we can just show the service icon again and prompt them to click it. This should not even be a 404.