Specify error response for mismatching username and password on auth/change

[lahmann]

If the patron has no scope to change the password but nonetheless tries to error response 403 is defined. If the service is not implemented error response 501 is defined - other HTTP status codes might apply for other error scenarios.

In order to allow the client to return a meaningful message to the patron it should be defined which error response will get returned on mismatching username and password as this check is required. Would 401 be appropriate?

401 (“Unauthorized”) Importance: High. The client tried to operate on a protected resource without providing the proper authentication credentials. It may have provided the wrong credentials, or none at all. The credentials may be a username and password, an API key, or an authentication token—whatever the service in question is expecting. It’s common for a client to make a request for a URI and accept a 401 just so it knows what kind of credentials to send and in what format. [...]

(from http://stackoverflow.com/a/1960453)

[nichtich]

If the patron has no scope to change a password the error response at method change should have error insufficient_scope and code 403: https://gbv.github.io/paia/paia.html#request-errors - this should be sufficient for a meaningful message, shouldn’t it?

For PAIA auth method login there is no scope but credentials must be sent. What's wrong with 403 in case of invalid credentials? Should the documentation be more clear? What different kinds of errors should be differentiated for which method?

[nichtich]

Response for valid scope to change password but mismatching username/password is 403 and code access_denied.