I had a discussion with SF Support agent, after which he suggested that I should create this idea.
Issue is that after Auth Provider resturns error to SF callback URL, ErrorCode and ErrorDescription are masked. It is because salesforce has it's own set of errors. I understand that, but it would be nice to get original error description into error handler. For example as another param like ExternalErrorDescription or something.
Without this information we are unable to handle these errors properly. For example there is a different errorDescription returned from Auth provider when users clicks on cancel button or on forgotten password. But when it hits error handler URL for that auth provider, ErrorDescription and ErrorCode have the same values for both actions.
I've created Question in salesforce stackexchange: https://salesforce.stackexchange.com/questions/337584/auth-provider-callback-masking-errordescription