Home How should I discern between inactive user and bad credentials in OAuth 2.0
Reply: 0

How should I discern between inactive user and bad credentials in OAuth 2.0

paulito415
1#
paulito415 Published in 2017-11-29 10:16:22Z

We have a Grails 3.2.7 application and use the org.grails.plugins:spring-security-oauth2-provider:3.0.0-RC2 plugin in our application and everything works so far.

But recently we're starting to introduce user activation after registration. This means that the "enabled" field is false before the user activates his account.

So for an user that hasn't been activated yet, when I make a POST request to authenticate him using /oauth/token, I get an HTTP Status 400 with a response body of:

{
  "error": "invalid_grant",
  "error_description": "User is disabled"
}

The problem is, even for a user for whom I typed in the wrong password, he gets an HTTP Status 400 with a response body of:

{
  "error": "invalid_grant",
  "error_description": "Bad credentials"
}

As you can see, both have HTTP Status 400 (Bad Request) and an "error" of "invalid_grant". So really the only way for me to differentiate between these two cases is through the "error_description". But I don't want to do that because according to RFC 6749 (The OAuth 2.0 Authorization Framework), that is an

OPTIONAL, Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred.

which is not meant to be reliable for discerning the type of error we have (inactive user vs. bad credentials). Is there a better way to solve my problem?

Or if I may be so bold to ask, how would one override the default behavior of /oauth/token? I can't seem to find any documentation on how to do that.

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.31046 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO