"12. Push Error Payload" lists
expired_token as an
error code and its description says as follows.
auth_req_idhas expired. The Client will need to make a new Authentication Request. OpenID Providers are not required to send this error, but Clients SHOULD support receiving this error.
However, there is no chance that OpenID provider implementations use the error code in the push mode unless the implementations repurpose the error code, for example, for a case where end-user authentication and authorization could not finish in a reasonable amount of time which is longer than the lifetime of the
auth_req_id. So, I'm afraid it would be better to remove
expired_token from the list of error codes applicable to the push error payload.