We have a Grails 3.2.7 application and use the org.grails.plugins:spring-security-oauth2-provider:3.0.0-RC2 plugin in our application and everything works so far.
But recently we're starting to introduce user activation after registration. This means that the "enabled" field is false before the user activates his account.
So for an user that hasn't been activated yet, when I make a POST request to authenticate him using /oauth/token, I get an HTTP Status 400 with a response body of:
"error_description": "User is disabled"
The problem is, even for a user for whom I typed in the wrong password, he gets an HTTP Status 400 with a response body of:
"error_description": "Bad credentials"
As you can see, both have HTTP Status 400 (Bad Request) and an "error" of "invalid_grant". So really the only way for me to differentiate between these two cases is through the "error_description". But I don't want to do that because according to RFC 6749 (The OAuth 2.0 Authorization Framework), that is an
OPTIONAL, Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred.
which is not meant to be reliable for discerning the type of error we have (inactive user vs. bad credentials). Is there a better way to solve my problem?
Or if I may be so bold to ask, how would one override the default behavior of /oauth/token? I can't seem to find any documentation on how to do that.