For password grant type flow the account lock message is not shown when there is an attempt to get a token with a valid password for locked out user

Attempt to get a token for Password grant returns same response for invalid password as well as Valid password for locked out account .
Token end point does not reveal the actual cause of error for a locked out user with a valid password.

Yes, the similar response for both invalid password and locked-out account scenarios is the expected behavior. Okta intentionally provides a generic error message in these cases.

The primary reason for not distinguishing between these scenarios is to prevent potential security vulnerabilities. By providing the same response, Okta prevents malicious actors from determining whether a specific username exists or if an account is locked

Alternative:
Authentication API: Authentication | Okta Developer
The Okta Authentication API provides more detailed information about authentication attempts. It can distinguish between invalid credentials and locked accounts.

1 Like