Wrong response when using password grant_type and invalid user credentials

[koemeet]

Hi,

When you're requesting an access token based of user credentials, you get a wrong response when your credentials are invalid.

Expected result:

{
  "error_description" : "Invalid username and password combination",
  "error" : "invalid_grant"
}

Instead, it only returns:

{
  "error" : "invalid_grant"
}

I will create a pull-request if necessary.

Best wishes,
Steffen Brem

[a6software]

I think the error here is self::HTTP_UNAUTHORIZED rather than self::HTTP_BAD_REQUEST.

I know that's not the change you made, but would appreciate your input on this anyway.

The RFC for these two says:

 invalid_request
       The request is missing a required parameter, includes an
       unsupported parameter or parameter value, or is otherwise
       malformed.

 access_denied
       The resource owner or authorization server denied the
       request.

The issue here being that throwing a 400 implies one of the two params is missing from the request, or is of the wrong type. Whereas supplying both username and password - where one of the two turn out to be invalid - should return a 401.

I've made the change locally and done some manual tests and everything seems to work properly, but would appreciate a second opinion on this.

[ghost]

Do you know what's the cause of

{
    "error": "invalid_client"
}

?