According to https://tools.ietf.org/html/rfc6749#section-4.1.2.1, the access_denied scenario should produce a redirect_uri (if valid) with appropriate "error" params set. Currently, however, the access ("request.query.allowed") is checked before validating the input params, including the redirect_uri, and throws an exception instead.

https://github.com/oauthjs/node-oauth2-server/blob/master/lib/handlers/authorize-handler.js#L81