Redirect cancelled authorization requests to the callback URL

[bradyvercher]

The OAuth 1.0a spec doesn't mention how to handle authorization requests when the end-user denies access, but the OAuth 2.0 spec is pretty clear that the user should be returned to the callback URL with an access denied error when safe to do so (which is when the callback can be validated).

Currently, if an end-user cancels the authorization request, the server just kills the request with no path forward or helpful error message.

If the OAuth 2.0 error responses were adopted as mentioned in #108, clients could handle access denied messages.

Twitter displays an intermediate step after a user denies access that allows them to decide if they want to return to the application or not. If they do, it seems to redirect to the callback URL without the token and verifier parameters. However, it looks like the OAuth client from the League of Extraordinary Packages seems to expect a denied parameter in the query string.