We’re calling Auth0 authentication API from our server to get access token for a given user. We use resource owner password to get token( Authentication API Explorer) and we got interesting error “invalid_grant” when we put invalid password for password POST parameter.
But this error is not listed common error code page https://auth0.com/docs/libraries/error-messages and we would expect to get “invalid_password” instead of “invalid_grant” here. Do we have true official document to describe error code of Authentication API?
When you try to log in with an incorrect password, you won’t receive “invalid_password” as this is a user signup error for when the user’s submitted password does not comply with the tenant’s password policy. The error code I believe you are expecting in this situation is “invalid_user_password”, as this indicates that either the username or password is wrong. However, as you have noticed, this is not the error message received for the ROPG flow, as instead you are receiving a message like “{“error”:“invalid_grant”,“error_description”:“Wrong email or password.”}”
This apparent inconsistency is actually logical from the perspective of the oauth2 spec (which Auth0 follows). Consider what the specification says about how the Resource Owner Password Grant works:
The resource owner password credentials (i.e., username and password) can be used directly as an authorization grant to obtain an access token.
As you can see, the username and password are actually the grant itself, thus an invalid username or password actually constitutes an invalid grant.
If you look at the Error Response section for the oauth2 specification, you can also see that this is how the specification defines the invalid_grant error code: RFC 6749 - The OAuth 2.0 Authorization Framework