New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When logging in with OAuth, bad password results in "Invalid grant" as error #1336

Open
mraible opened this Issue Jun 1, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@mraible
Contributor

mraible commented Jun 1, 2017

I'm using the Stormpath Angular SDK with Spring Boot Stormpath Starter version 2.0.0-okta-rc1. If I enter a bad password, the error message is "Invalid grant" rather than "Invalid username or password.".

invalid-grant

You can reproduce this problem using HTTPie. The following will work.

http -f POST localhost:8080/oauth/token grant_type=password username=VALID_USERNAME password=CORRECT_PASSWORD

This does not:

http -f POST localhost:8080/oauth/token grant_type=password username=VALID_USERNAME password=BAD_PASSWORD

HTTP/1.1 400
Cache-Control: no-store, no-cache
Connection: close
Content-Length: 53
Content-Type: application/json;charset=ISO-8859-1
Date: Thu, 01 Jun 2017 14:58:09 GMT
Expires: 0
Pragma: no-cache
Set-Cookie: JSESSIONID=6A12DD8C7656A3BD4ADD9EEE5DBF6B02; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

{
    "error": "invalid_request",
    "message": "Invalid grant"
}
@bdemers

This comment has been minimized.

Show comment
Hide comment
@bdemers

bdemers Jun 13, 2017

Contributor

"Invalid grant" is the error is the error message we receive back from Okta. To change this, we will need to handle this case specifically. We need to look into this a bit more and make sure that the we only do this for user/password requests

Contributor

bdemers commented Jun 13, 2017

"Invalid grant" is the error is the error message we receive back from Okta. To change this, we will need to handle this case specifically. We need to look into this a bit more and make sure that the we only do this for user/password requests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment