I do it this way: I use the new appearing page of the login as the oops page. It then says that you either used the wrong data or you don’t have authorization. Or something similar. But you have to write that yourself.
The login form stays in and gets the heading “try again”. I have added a form with which you can either request a new password, or request an access.
The actual login is done via a popup that contains the login form. Works fine.
Login forms can also be added on any of the website pages, but a standalone login page needs to exist: it’s where visitors will be sent to authenticate, if they access a restricted page or asset.