Resource owner is called on invalid client_credentials

[jarosan]

I have an app that uses Password Credentials flow and load the user with resource_owner_from_credentials.

When the request to get the token comes with an invalid client_id and/or client_secret i would expect resource_owner_from_credentials never to get called as the request would fail anyway with a 401. However the method is still called.

Problem is that my resource_owner_from_credentials is fetching user data from external service and i would want to avoid doing unnecessary external calls for requests that will fail with a 401 due to invalid client.

[nbulaj]

Hi @jarosan. I have to check why it not fast fail for the case when credentials are invalid, but anyway PRs are welcome!
Thanks for pointing this out

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.