Usage of invalid_grant for password grant

[ThisIsAreku]

In case of an authentication failure in password grant, the returned error is a invalid_grant (400)

oauth2-server/src/Grant/PasswordGrant.php

Lines 97 to 108 in 07bb5e0

	$user = $this->userRepository->getUserEntityByUserCredentials(
	$username,
	$password,
	$this->getIdentifier(),
	$client
	);
	if ($user instanceof UserEntityInterface === false) {
	$this->getEmitter()->emit(new RequestEvent(RequestEvent::USER_AUTHENTICATION_FAILED, $request));
	throw OAuthServerException::invalidGrant();
	}

I can't find any informations in RFC about invalid_credentials but thinks it's a more appropriate error in this case, and it's already defined in OAuthServerException

oauth2-server/src/Exception/OAuthServerException.php

Lines 185 to 193 in 07bb5e0

	/**
	* Invalid credentials error.
	*
	* @return static
	*/
	public static function invalidCredentials()
	{
	return new static('The user credentials were incorrect.', 6, 'invalid_credentials', 401);
	}

Or maybe I should throw it myself in my implementation of UserRepositoryInterface ?

[Sephster]

We returned invalid_credentials in version 7 but found this did not comply with the OAuth 2 RFC. Unless stated, servers should return a 400 response. The invalid_grant response should be returned if client_authentication fails. Details for this change can be found here.

I hope this clarifies matters but if you'd like to discuss further please feel free to respond. Marking this as closed unless further information comes to light.