We need to check some more details about a user’s account as part of a refresh token flow. These checks obviously need to go in the Rules. But in the event that a user fails the checks, we need to return a 400 invalid_grant error. Unfortunately, the two sorts of error that seem to be available from within a rule are Error and UnauthorizedError. The former returns a 500 Internal Server Error and the latter a 401 Unauthorized error.
Is it possible to return a 400 error somehow?
If not, is there a different flow that we ought to be following?