id_token_hint : The spec says that the server SHOULD return a "negative response" if the required subject isn't logged in. We have found out that for proper client / server interop there has to be an agreed error code for that.
The base OAuth 2.0 "access_denied" error is one possible candidate for that, but is too general.
The OIDC error "login_required" seems more specific, and it also ties nicely with the (common?) id_token_hint case when it is used with prompt=none.
Finally, what error should the server return if prompt=none and the server's policy expects an id_token_hint, but it is missing in the authz request? invalid_request?
What are the security implications of not requiring an id_token_hint with prompt=none?