From 2b4974b697ca937d37f407c429d792c467af7ec5 Mon Sep 17 00:00:00 2001
From: sephster <andrew@noexceptions.io>
Date: Tue, 13 Nov 2018 18:18:07 +0000
Subject: [PATCH 1/3] Change to use invalid_grant

---
 src/Grant/PasswordGrant.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/Grant/PasswordGrant.php b/src/Grant/PasswordGrant.php
index 1d00998b..412ac117 100644
--- a/src/Grant/PasswordGrant.php
+++ b/src/Grant/PasswordGrant.php
@@ -81,11 +81,13 @@ class PasswordGrant extends AbstractGrant
     protected function validateUser(ServerRequestInterface $request, ClientEntityInterface $client)
     {
         $username = $this->getRequestParameter('username', $request);
+
         if (is_null($username)) {
             throw OAuthServerException::invalidRequest('username');
         }
 
         $password = $this->getRequestParameter('password', $request);
+
         if (is_null($password)) {
             throw OAuthServerException::invalidRequest('password');
         }
@@ -96,10 +98,11 @@ class PasswordGrant extends AbstractGrant
             $this->getIdentifier(),
             $client
         );
+
         if ($user instanceof UserEntityInterface === false) {
             $this->getEmitter()->emit(new RequestEvent(RequestEvent::USER_AUTHENTICATION_FAILED, $request));
 
-            throw OAuthServerException::invalidCredentials();
+            throw OAuthServerException::invalidGrant();
         }
 
         return $user;

From 685dc6edea755e587675eae6bcfa43f8ec959d8f Mon Sep 17 00:00:00 2001
From: sephster <andrew@noexceptions.io>
Date: Tue, 13 Nov 2018 18:19:20 +0000
Subject: [PATCH 2/3] Update test

---
 tests/Grant/PasswordGrantTest.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/Grant/PasswordGrantTest.php b/tests/Grant/PasswordGrantTest.php
index c90a83db..378fee6f 100644
--- a/tests/Grant/PasswordGrantTest.php
+++ b/tests/Grant/PasswordGrantTest.php
@@ -145,6 +145,7 @@ class PasswordGrantTest extends TestCase
 
     /**
      * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 10
      */
     public function testRespondToRequestBadCredentials()
     {

From a93696271625a33ab60940d192e2f13dd38b7c11 Mon Sep 17 00:00:00 2001
From: sephster <andrew@noexceptions.io>
Date: Tue, 13 Nov 2018 18:27:03 +0000
Subject: [PATCH 3/3] Update changelog

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b8b6ecba..0cb7da30 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - `issueAccessToken()` in the Abstract Grant no longer sets access token client, user ID or scopes. These values should already have been set when calling `getNewToken()` (PR #919)
 - No longer need to enable PKCE with `enableCodeExchangeProof` flag. Any client sending a code challenge will initiate PKCE checks. (PR #938)
 - Function `getClientEntity()` no longer performs client validation (PR #938)
+- Password Grant now returns an invalid_grant error instead of invalid_credentials if a user cannot be validated (PR #967)
 
 ### Removed
 - `enableCodeExchangeProof` flag (PR #938)