Invalid_grant error code received instead of documented error codes

I followed the following guides to integrate our existing api with Auth

In the example, I followed using WrongUsernameOrPasswordError(email) for error handling wrong passwords and was expecting invalid_user_password as the error but all we keep getting in invalid_grant. Where is invalid_grant documented as I can’t seem to find it?

We are getting this when requesting for resource owner access token but the same also happens even without a custom audience.

Here is an example request.

POST https://{instance}.auth0.com/oauth/token
{
“grant_type”: “http://auth0.com/oauth/grant-type/password-realm”,
“client_id”: “{clientid}”,
“username”: “{username}”,
“password”: “{password}”,
“realm”: “Username-Password-Authentication”,
“audience”: “https://{resourceowner}/api”,
“scope”: “openid email”
}

Hi. I am also facing the issues?

Hey guys!

Sorry for delay in response. Basically Auth0 provide multiple grants (authentication and authorization flows) that you need to use base on your needs. Here’s an ultimate resource on getting a grasp of knowledge on each grant:

Let me know if it’s helpful for you!

Hey there folks,

Have you been able to go through the resources I provided?

Hello!

The invalid_grant error is documented in the oauth2 specification (which Auth0 follows): https://tools.ietf.org/html/rfc6749#section-5.2

invalid_grant
The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.

Because you’re using the resource owner password grant, most likely this error means your username and password are invalid. If you check the error description you receive back with the error code, it should clarify for you what is going wrong.

1 Like