diff --git a/internal/api/token.go b/internal/api/token.go
index 2f6f9e3b22..52729ac4bf 100644
--- a/internal/api/token.go
+++ b/internal/api/token.go
@@ -117,27 +117,29 @@ func (a *API) ResourceOwnerPasswordGrant(ctx context.Context, w http.ResponseWri
 
 	grantParams.FillGrantParams(r)
 
-	if params.Email != "" {
+	switch {
+	case params.Email != "" && config.External.Email.Enabled:
 		provider = "email"
-		if !config.External.Email.Enabled {
-			return badRequestError("Email logins are disabled")
-		}
 		user, err = models.FindUserByEmailAndAudience(db, params.Email, aud)
-	} else if params.Phone != "" {
+
+	case params.Phone != "" && config.External.Phone.Enabled:
 		provider = "phone"
-		if !config.External.Phone.Enabled {
-			return badRequestError("Phone logins are disabled")
-		}
 		params.Phone = formatPhoneNumber(params.Phone)
 		user, err = models.FindUserByPhoneAndAudience(db, params.Phone, aud)
-	} else {
+
+	case !config.External.Email.Enabled:
+		return badRequestError("Email logins are disabled")
+
+	case !config.External.Phone.Enabled:
+		return badRequestError("Phone logins are disabled")
+
+	default:
 		return oauthError("invalid_grant", InvalidLoginMessage)
 	}
 
-	if err != nil {
-		if models.IsNotFoundError(err) {
-			return oauthError("invalid_grant", InvalidLoginMessage)
-		}
+	if err != nil && models.IsNotFoundError(err) {
+		return oauthError("invalid_grant", InvalidLoginMessage)
+	} else if err != nil {
 		return internalServerError("Database error querying schema").WithInternalError(err)
 	}