Attempt to get a token for Password grant returns same response for invalid password as well as Valid password for locked out account .
Token end point does not reveal the actual cause of error for a locked out user with a valid password.
Yes, the similar response for both invalid password and locked-out account scenarios is the expected behavior. Okta intentionally provides a generic error message in these cases.
The primary reason for not distinguishing between these scenarios is to prevent potential security vulnerabilities. By providing the same response, Okta prevents malicious actors from determining whether a specific username exists or if an account is locked
Alternative:
Authentication API: Authentication | Okta Developer
The Okta Authentication API provides more detailed information about authentication attempts. It can distinguish between invalid credentials and locked accounts.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.