Login fails with error code 403 instead of 401

Why does the authentication call to https://domain/oauth/token with an email address and wrong password fail with a 403 Forbidden instead of 401 Unauthorized?
grant_type is password

The reason for the resource owner password grant (/oauth/token with grant_type password) to throw a 403 Forbidden when the incorrect password is sent is that in the RFC 6749
( https://tools.ietf.org/html/rfc6749#section-4.3 ) it describes invalid_grant as:

           The provided authorization grant (e.g., authorization
           code, resource owner credentials) or refresh token is
           invalid, expired, revoked, does not match the redirection
           URI used in the authorization request, or was issued to
           another client.

Since in this case the password is part of the resource owner credentials, a 403 error is thrown with:

{
    "error": "invalid_grant",
    "error_description": "Wrong email or password."
}

A 401 Unauthorized would be reserved for an invalid_user_password error, such as the ones you’ll get when using a redirect based flow.