OAuth has the
invalid_grant error status code, which is already sufficient for the "OP doesn't know the auth_req_id that the Client is asking for" case that CIBA currently has the new
unknown_auth_req_id error code for.
I'd suggest that CIBA just use what's already provided by the OAuth 2.0 Authorization Framework. With the benefit of not needing to do an IANA registration per issue
invalid_grant The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.