search

stormpath / stormpath-sdk-java

Official Java SDK for the Stormpath User Management REST API
222 stars 155 forks source link

When logging in with OAuth, bad password results in "Invalid grant" as error #1336

Open mraible opened 7 years ago

mraible commented 7 years ago

I'm using the Stormpath Angular SDK with Spring Boot Stormpath Starter version 2.0.0-okta-rc1. If I enter a bad password, the error message is "Invalid grant" rather than "Invalid username or password.".

invalid-grant

You can reproduce this problem using HTTPie. The following will work.

http -f POST localhost:8080/oauth/token grant_type=password username=VALID_USERNAME password=CORRECT_PASSWORD

This does not:

http -f POST localhost:8080/oauth/token grant_type=password username=VALID_USERNAME password=BAD_PASSWORD

HTTP/1.1 400
Cache-Control: no-store, no-cache
Connection: close
Content-Length: 53
Content-Type: application/json;charset=ISO-8859-1
Date: Thu, 01 Jun 2017 14:58:09 GMT
Expires: 0
Pragma: no-cache
Set-Cookie: JSESSIONID=6A12DD8C7656A3BD4ADD9EEE5DBF6B02; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

{
    "error": "invalid_request",
    "message": "Invalid grant"
}
bdemers commented 7 years ago

"Invalid grant" is the error is the error message we receive back from Okta. To change this, we will need to handle this case specifically. We need to look into this a bit more and make sure that the we only do this for user/password requests