Nice. I know it is Luis resonding today. :)
Here is the report link and mistakenly left out previously.
I guess I did pick the missing response_type as my scenario while I mentioned the 400-599 expected response. That makes my explanation a little confusing. But in both the IIB3a1 and IIB3a2 sub tests Duende's Identity Server defaults to a 302 home/error?errorId=... on the authorization server.
I see IIB3a1 as being a precheck and would have expected Duende's Identity Server to respond like the subtest errors describe. I am not sure why they default to an error page on the Auth Server.
For IIB3a2. It seems clear a response to the redirect URI with and error would be the expected behavior.
To be honest I think the test tool is asserting what should happen. I was hoping you would say, "Oh, there is this other behavior that could be interpreted as correct” and then you would proceed to tell me where I could read more about it. For a code base (Duende) that is mature I expected more consistencies with other implementations. If you have more knowledge to shed light on this that would be great. But I will have to present these questions to them. I know how I will resolve this technically but always on the hunt for a longer-term architecture solution that isn't about patching a behavior.