Why does the authentication call to https://domain/oauth/token with an email address and wrong password fail with a 403 Forbidden instead of 401 Unauthorized?
grant_type is password
The reason for the resource owner password grant (/oauth/token with grant_type password) to throw a 403 Forbidden when the incorrect password is sent is that in the RFC 6749
( RFC 6749: The OAuth 2.0 Authorization Framework ) it describes invalid_grant as:
The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
another client.
Since in this case the password is part of the resource owner credentials, a 403 error is thrown with:
{
"error": "invalid_grant",
"error_description": "Wrong email or password."
}
A 401 Unauthorized would be reserved for an invalid_user_password error, such as the ones you’ll get when using a redirect based flow.
@bobby2 @ricardo.batista I am also facing the same issue is it because of passing wrong grant type. I am passing password and grant type and trying to do login.