invalid_grant status code should be 400

According to section 5.2 of rfc 6749 (https://tools.ietf.org/html/rfc6749#section-5.2) A server should respond with 400 in case of an invalid grant. The given grant is invalid and the client should give other data. A 401 is not applicable here because the client is required to give a suitable Authorization header field which doesn't make any sense if you are trying to acquire a grant authentication. According to sections 10.4.1 and 10.4.2 of rfc 2616 (https://tools.ietf.org/html/rfc2616#section-10.4.1)
oauthlib · Jul 4, 2018 · a4f39fc · a4f39fc
1 parent cfcbe99
commit a4f39fc
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/oauthlib/oauth2/rfc6749/errors.py b/oauthlib/oauth2/rfc6749/errors.py
@@ -245,7 +245,7 @@ class InvalidGrantError(OAuth2Error):
     issued to another client.
     """
     error = 'invalid_grant'
-    status_code = 401
+    status_code = 400
 
 
 class UnauthorizedClientError(OAuth2Error):

diff --git a/tests/oauth2/rfc6749/grant_types/test_refresh_token.py b/tests/oauth2/rfc6749/grant_types/test_refresh_token.py
@@ -109,7 +109,7 @@ def test_invalid_token(self):
         token = json.loads(body)
         self.assertEqual(self.mock_validator.save_token.call_count, 0)
         self.assertEqual(token['error'], 'invalid_grant')
-        self.assertEqual(status_code, 401)
+        self.assertEqual(status_code, 400)
 
     def test_invalid_client(self):
         self.mock_validator.authenticate_client.return_value = False