invalid_grant Error When Credentials are Incorrect

[lucianobosco]

I'm using the native oatuh2-serve included in Laravel 6.2.
In the previous version of oauth2-server, I used to face a 400 error when credentials were missing and 401 error when credentials were wrong.
This is not happening since this PR #967.

Is this the way you handle returning errors now? How can I know about missing or wrong credentials?

Sorry if this question does not belong here, but not sure where to post it.

[Sephster]

Hi @Imboga - yep, we changed this because the old response wasn't conforming to the OAuth 2 specs properly. You could possibly leverage the event to track an invalid credentials attempt

[lucianobosco]

Perfect! Thanks for your fast reply. I will try to find a way to handle this.

[lk77]

Hello,

is there a way to restore the old behaviour ?

401 error code is mandatory for us in our specs. The clients needs to know that the credentials are invalid.

[Sephster]

The only way would be to downgrade to an older version of the library. I would recommend that if you need to track this, you should leverage the events systems instead.

We won't be reverting this change as the previous implementation didn't conform to the OAuth 2 spec unfortunately.

[siarheipashkevich]

@Imboga did you find the solution for your problem?

[meyer59]

@Sephster can you provide an example how to handle events to return different status code ?

[Sephster]

@meyer59 If you are using the server middleware, you could maybe intercept the exception and change the response to whatever you want it to be. I wouldn't recommend this though as the responses given by the server are valid OAuth responses. Hope this helps

[lucianobosco]

@meyer59 @siarheipashkevich I know this is an old thread but due to @Sephster PR was rejected I want to share with you my current solution.
First of all, I want to clarify that I'm using 2 isolated projects, the UI based on Vue JS and the API done with Laravel 8.
For security reasons, I'm not exposing the /oauth/token passport URL when a login is requested. Instead, I use guzzle to request the token from within the controller.
Saying that this is my full login function in my auth controller. Hope it helps!

public function login(Request $request) {
        $http = new Client;

        $response = $http->post(config('services.passport.login_endpoint'), [
            'form_params' => [
                'grant_type' => 'password',
                'client_id' => config('services.passport.client_id'),
                'client_secret' => config('services.passport.client_secret'),
                'username' => $request->username,
                'password' => $request->password,
            ],
            'http_errors' => false
        ]);

        if ($response->getStatusCode() == 200) {
            $result = $response->getBody()->getContents();
            $access_token = json_decode($result)->access_token;
            $refresh_token = json_decode($result)->refresh_token;

            // Attach tokens to response header
            header("Authorization: Bearer ".$access_token);
            header("Refresh: ".$refresh_token);

            // Attach tokens to body response
            return response()->json([
                'access_token' => $access_token,
                'refresh_token' => $refresh_token
            ], $response->getStatusCode());

        } else if ($response->getStatusCode() == 400) {
            return response()->json(__('auth.failed'), $response->getStatusCode());
        } else if ($response->getStatusCode() === 401) {
            return response()->json(__('auth.issued'), $response->getStatusCode());
        }

        return response()->json(__('auth.server_error'), $response->getStatusCode());
    }

In regards to returning tokens, I'm exposing both access_token and refresh_token in the response header but also in the response body, is your choice to expose them as you wish depending on how your App will consume the tokens.