The error should be invalid_grant as it is the grant (the resource
owner's username and password) that is invalid.
On Tue, Sep 13, 2011 at 10:07 AM, Colm Divilly <colm.divi...@oracle.com> wrote:
> Apologies if this has been covered before, a cursory search of the archives
> and issue tracker didn't turn up anything.
>
> What is the expected error response when performing a Resource Owner
> Password Credentials flow, if the resource owner provides incorrect
> credentials?
>
> From reading the spec it looks like the expectation is that a response like
> the following should be generated:
>
> HTTP/1.1 400 Bad Request
> Content-Type: application/json;charset=UTF-8
> Cache-Control: no-store
> Pragma: no-cache
>
> {
> "error":"invalid_request"
> }
>
> Which is not terribly helpful for a user-agent trying to determine that it
> is the user supplied credentials at fault (and therefore be able to
> re-prompt the user for credentials). Perhaps something like the following
> would be more useful:
>
> HTTP/1.1 400 Bad Request
> Content-Type: application/json;charset=UTF-8
> Cache-Control: no-store
> Pragma: no-cache
>
> {
> "error":"invalid_resource_owner_credentials"
> }
>
> A bit verbose perhaps, any alternative suggestions?
>
> Regards,
> Colm Divilly
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
