Whenever client code does something wrong, we should strive towards providing feedback that makes identifying and fixing that error as easy as possible. That means 1) obtaining as much information about the error as possible, 2) returning that error in a form useful to the client, 3) logging the error (helpful for debugging legacy unmaintained clients).
Related:
- T179030: OAuthClient should check for error before validating JWT (same issue, but in the client, not the server)
- T212851: Confusing error for OAuth consumers with rollback but not edit grant (MW core permission handling also should provide clearer errors, especially where grants are involved)
- T188848: All OAuth logs should include the consumer key (if all else fails and the client developer asks OAuth maintainers for support, they should be able to get useful information from Logstash for why the request has failed)