Error code on bad credentials in password grant type

[yebor974]

• Passport Version: 8
• Laravel Version: 6.2
• PHP Version: 7.2
• Database Driver & Version: pgsql 12

Description:

When i send bad credentials (username or password) to the oauth/token route, i receive a invalig_grant error (HTTP status 400 bad request). ? Why not receive a 401 status code

Response in error:
{ "error": "invalid_grant", "error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.", "hint": "", "message": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client." }

When i put valid username or password i receive a good token.

[n10000k]

@yebor974 Please see this RFC:
https://tools.ietf.org/html/rfc6749#section-5.2

[Sephster]

This is functioning correctly as per the OAuth2 spec. A 401 would require returning some kind of challenge which is why the RFC authors opted for a 400

[driesvints]

Please see the comments above.

[tohidhabiby]

Update UserFactory password (use Hash::make() not bcrypt)

[gkarugi]

To anyone who needs to handle this gracefully, you can handle the eception in your exception Handler with this:-

if ($exception instanceof OAuthServerException and $exception->getCode() === 10) {
    return response()->json(['message' => 'Your credentials are incorrect. Please try again'], 401);
} 

Reasoning behind this is the error code for unsupported_grant_type is 2 while the one being used for invalid grant(in this case invalid creds) is 10.