Laravel 6 passport returns 400 Bad request on wrong credential

laravel oauth-2.0 laravel-passport laravel-6

11,493

Finally i found the problem, the problem is back to league/oauth2-server which that used by Laravel passport.

They changed response from 401 to 400 in version 8.

I changed my code in login section to this.

switch ($e->getCode()) {
    case 400:
    case 401:
        return response()->json('Your credentials are incorrect. Please try again', $e->getCode());
    break;
    default:
        return response()->json('Something went wrong on the server', $e->getCode());

}

11,493

Author by

Mojtaba Sayari

Web developer with 10 years of experience in developing web applications. i have an advanced knowledge in Server Management.

Updated on June 15, 2022

Comments

Mojtaba Sayari almost 2 years

I use Laravel 6 passport grant password for my Vue backend.

When i send right credential to oauth/token it works and returns token, but when i send wrong (email/password) it returns 400 instead of 401 with this message.

    {
    "error": "invalid_grant",
    "error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.",
    "hint": "",
    "message": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."
}

I checked client_id and client_secret.

I tested with new installed Laravel + passport with out single line of code, Laravel 5.8 returns 401 without any problem but Laravel 6 returns 400 bad request.

Do you have any Idea?

Mojtaba Sayari over 4 years

i switched in my own codes, "we usually don't change vendor files...", but if you want know where was the change vendor/league/oauth2-server/src/Grant/PasswordGrant.php line 107 throw OAuthServerException::invalidGrant(); change to throw OAuthServerException::invalidCredentials(); @azurecorn
Luciano about 4 years

I'm facing the same issue. Do you know if Is this a known issue or a new way to throw exceptions? Your solution actually does not represent the real response since you won't be able to show "Hey! complete login data!" or "Hey! Your data is wrong!"
Mojtaba Sayari about 4 years

seems it's new way, and it should be 400 regarding this document https://tools.ietf.org/html/rfc6749#section-5.2. If you want separate wrong credential with error, you can create token manually by validating username and password then $user->createToken('tokenName')->accessToken @Luciano
Luciano about 4 years

Tha's correct @Mojtaba Sayari, confirmed by the creators in github.com/thephpleague/oauth2-server/issues/1093 Thanks for your possible solution BTW
Caio Kawasaki about 4 years

I sugest you use abort instead of response: abort($response->status(), 'Your credentials are incorrect. Please try again')
Natan Augusto almost 4 years

Rectify use Laravel\Passport\Exceptions\OAuthServerException