From 96b76efc5c70cdccf97f1cb521d9fa594ddbae34 Mon Sep 17 00:00:00 2001
From: Marc Bennewitz <m.bennewitz@dcmn.com>
Date: Fri, 21 May 2021 15:23:22 +0200
Subject: [PATCH 1/2] Respond with helpful and spec complient error on invalid
 user credentials

---
 src/Exception/OAuthServerException.php | 2 +-
 src/Grant/PasswordGrant.php            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Exception/OAuthServerException.php b/src/Exception/OAuthServerException.php
index 64adebf14..a0be0a5dd 100644
--- a/src/Exception/OAuthServerException.php
+++ b/src/Exception/OAuthServerException.php
@@ -189,7 +189,7 @@ public static function invalidScope($scope, $redirectUri = null)
      */
     public static function invalidCredentials()
     {
-        return new static('The user credentials were incorrect.', 6, 'invalid_credentials', 401);
+        return new static('The user credentials were incorrect.', 6, 'invalid_grant', 400);
     }
 
     /**
diff --git a/src/Grant/PasswordGrant.php b/src/Grant/PasswordGrant.php
index 4e12fa535..fd32d2688 100644
--- a/src/Grant/PasswordGrant.php
+++ b/src/Grant/PasswordGrant.php
@@ -106,7 +106,7 @@ protected function validateUser(ServerRequestInterface $request, ClientEntityInt
         if ($user instanceof UserEntityInterface === false) {
             $this->getEmitter()->emit(new RequestEvent(RequestEvent::USER_AUTHENTICATION_FAILED, $request));
 
-            throw OAuthServerException::invalidGrant();
+            throw OAuthServerException::invalidCredentials();
         }
 
         return $user;

From 3e31fe97db50d411b68b094f9c12e38699ea4b2a Mon Sep 17 00:00:00 2001
From: Marc Bennewitz <m.bennewitz@dcmn.com>
Date: Mon, 31 May 2021 21:49:10 +0200
Subject: [PATCH 2/2] Update tests

---
 tests/Exception/OAuthServerExceptionTest.php | 7 +++++++
 tests/Grant/PasswordGrantTest.php            | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/tests/Exception/OAuthServerExceptionTest.php b/tests/Exception/OAuthServerExceptionTest.php
index 7ece08032..38b86d433 100644
--- a/tests/Exception/OAuthServerExceptionTest.php
+++ b/tests/Exception/OAuthServerExceptionTest.php
@@ -137,4 +137,11 @@ public function testCanGetRedirectionUri()
 
         $this->assertSame('https://example.com/error', $exceptionWithRedirect->getRedirectUri());
     }
+
+    public function testInvalidCredentialsIsInvalidGrant()
+    {
+        $exception = OAuthServerException::invalidCredentials();
+
+        $this->assertSame('invalid_grant', $exception->getErrorType());
+    }
 }
diff --git a/tests/Grant/PasswordGrantTest.php b/tests/Grant/PasswordGrantTest.php
index 0be3d4826..b53ab2357 100644
--- a/tests/Grant/PasswordGrantTest.php
+++ b/tests/Grant/PasswordGrantTest.php
@@ -211,7 +211,7 @@ public function testRespondToRequestBadCredentials()
         $responseType = new StubResponseType();
 
         $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
-        $this->expectExceptionCode(10);
+        $this->expectExceptionCode(6);
 
         $grant->respondToAccessTokenRequest($serverRequest, $responseType, new DateInterval('PT5M'));
     }