The code introduced by #18185 gets the error from response after it was processed by goth.
That is incorrect, as goth (and golang.org/x/oauth) doesn't really care about the error, and it sends a token request with an empty authorization code to the server anyway, which always results in a `oauth2: cannot fetch token: 400 Bad Request` error from goth.
It means that unless the "state" parameter is omitted from the error response (which is required to be present, according to [RFC 6749, Section 4.1.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1)) or the page is reloaded (makes the session invalid), a 500 Internal Server Error page will be displayed.
This fixes it by handling the error before the request is passed to goth.
iferr.Error()=="securecookie: the value is too long"||strings.Contains(err.Error(),"Data too long"){
log.Error("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider",authSource.Name,setting.OAuth2.MaxTokenLength)
err=fmt.Errorf("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider",authSource.Name,setting.OAuth2.MaxTokenLength)
}
// goth does not provide the original error message
// https://github.com/markbates/goth/issues/348
ifstrings.Contains(err.Error(),"server response missing access_token")||strings.Contains(err.Error(),"could not find a matching session for this request"){