invalid_grant seems like the appropriate error as the username and password are the grant in the context of the Resource Owner Password Credentials flow/grant type.
On Tue, Jun 28, 2011 at 9:47 AM, George Fletcher <gffle...@aol.com> wrote: > > I'm working on spec'ing out a use of the Resource Owner Password Credentials > flow and in trying to map out possible error cases, realized that there is no > good error for the case that the resource owner's password credentials are > invalid. Section 4.3 of draft 16 references section 5.2 for errors. The list > of available errors in section 5.2 are... > > error > REQUIRED. A single error code from the following: > invalid_request > The request is missing a required parameter, includes an > unsupported parameter or parameter value, repeats a > parameter, includes multiple credentials, utilizes more > than one mechanism for authenticating the client, or is > otherwise malformed. > invalid_client > Client authentication failed (e.g. unknown client, no > client credentials included, multiple client credentials > included, or unsupported credentials type). The > authorization server MAY return an HTTP 401 > (Unauthorized) status code to indicate which HTTP > authentication schemes are supported. If the client > attempted to authenticate via the "Authorization" request > header field, the authorization server MUST respond with > an HTTP 401 (Unauthorized) status code, and include the > "WWW-Authenticate" response header field matching the > authentication scheme used by the client. > invalid_grant > The provided authorization grant is invalid, expired, > revoked, does not match the redirection URI used in the > authorization request, or was issued to another client. > unauthorized_client > The authenticated client is not authorized to use this > authorization grant type. > unsupported_grant_type > The authorization grant type is not supported by the > authorization server. > invalid_scope > The requested scope is invalid, unknown, malformed, or > exceeds the scope granted by the resource owner. > > I'm wondering if others have chosen one of these values to represent the > "invalid_credentials" use case. > > Thanks, > George > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
