When a user is presented with the Authorize account access page (https://meta.sr.ht/oauth2/authorize?client_id=...), clicking Cancel
does not cancel the request, but instead issues the token as if Grant account access
was clicked. I would have expected the redirect_url
to be called with error="access_denied"
per 0