This project has moved and is read-only. For the latest updates, please go here.

SetError causes 400 Bad Request

Mar 20, 2014 at 10:55 AM
I'm implementing individual account authentication in Web API, and in GrantResourceOwnerCredentials I have:
 public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {
        using (var userManager = this.userManagerFactory())
        {
            var user = await userManager.FindAsync(context.UserName, context.Password);

            if (user == null)
            {
                context.SetError("invalid_grant", "The user name or password is incorrect.");                    
                return;
            }
This is fairly standard code, but causes a response code of 400 to be returned, rather than a more appropriate 401.

It isn't immediately obvious where in the pipeline this response code can be changed, as it seems to be set to 400 based on the HasError flag set from the SetError method.

How can this response code be changed to 401?
Oct 6, 2014 at 1:18 PM
Any update on this?
Oct 8, 2014 at 10:13 AM
Actually, error code 400 is the appropriate one to use in this scenario: https://tools.ietf.org/html/rfc6749#page-45.

That being said, the error code is hardcoded in the OAuthAuthorizationServerHandler class. Changing that will require you to write your own middleware and handler. Since the OAuthAuthorizationServerHandler is internal, you cannot inherit from that. My suggestion would be to accept the 400 error code, as it is per RFC anyway.