Alternative landing page for authorize token form to workaround unauthorized redirection

[metatoaster]

Certain OS/browser configuration on resource owner's machine may result in them seeing an Insufficient Privileges page instead of the authorize token page when they were already logged in. This is typically triggered by a standalone oob application trying to request for a token, where a background user agent on the machine will resolve to the authorize_token endpoint to the login page (as that background agent is never logged in) which is then passed into the user's browser, thus resulting in the Insufficient Privileges message as they are not logged in.

A possible fix is creating an alternative end point or a landing page which does not redirect if the session is anonymous - it would then present the user a link to the authorize_token endpoint, which would then redirect to the login page, or even better, show the login/register page which would then redirect to the authorize_token endpoint. In the case of logged in users, it would redirect to the standard authorize_token endpoint.