The error should be invalid_grant as it is the grant (the resource owner's username and password) that is invalid.
On Tue, Sep 13, 2011 at 10:07 AM, Colm Divilly <colm.divi...@oracle.com> wrote: > Apologies if this has been covered before, a cursory search of the archives > and issue tracker didn't turn up anything. > > What is the expected error response when performing a Resource Owner > Password Credentials flow, if the resource owner provides incorrect > credentials? > > From reading the spec it looks like the expectation is that a response like > the following should be generated: > > HTTP/1.1 400 Bad Request > Content-Type: application/json;charset=UTF-8 > Cache-Control: no-store > Pragma: no-cache > > { > "error":"invalid_request" > } > > Which is not terribly helpful for a user-agent trying to determine that it > is the user supplied credentials at fault (and therefore be able to > re-prompt the user for credentials). Perhaps something like the following > would be more useful: > > HTTP/1.1 400 Bad Request > Content-Type: application/json;charset=UTF-8 > Cache-Control: no-store > Pragma: no-cache > > { > "error":"invalid_resource_owner_credentials" > } > > A bit verbose perhaps, any alternative suggestions? > > Regards, > Colm Divilly > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth