ProtocolException at AuthenticateWithPasswordAsync

[tlencse]

Confirm you've already contributed to this project or that you sponsor it

• I confirm I'm a sponsor or a contributor

Version

6.4.0

Question

Hi Kevin,

I am in a project and I use OpenIddict password authentication scheme in it. It calls OpenIddict.Client.OpenIddictClientService.AuthenticateWithPasswordAsync(PasswordAuthenticationRequest request). When I provide the right password, everything is fine, I get the tokens. But when I provide a wrong password (or anything else is wrong), I get a ProtocolException with ID2162.

I tried to run the openiddict-samples-dev\samples\Imynusoph\Imynusoph, which produced the same symptoms. Works fine with the right password, and gives a ProtocolException. However it is a little bit different, the ID this time is ID2147.

This is the config of the openiddict client:

var services = new ServiceCollection();

// Register the OpenIddict client services.
services.AddOpenIddict()

// Register the OpenIddict client components.
.AddClient(options =>
{
	// Allow grant_type=password and grant_type=refresh_token to be negotiated.
	options.AllowPasswordFlow()
			.AllowRefreshTokenFlow();

	// Disable token storage, which is not necessary for non-interactive flows like
	// grant_type=password, grant_type=client_credentials or grant_type=refresh_token.
	options.DisableTokenStorage();

	// Register the System.Net.Http integration and use the identity of the current
	// assembly as a more specific user agent, which can be useful when dealing with
	// providers that use the user agent as a way to throttle requests (e.g Reddit).
	options.UseSystemNetHttp()
		   .SetProductInformation(Assembly.GetEntryAssembly()!);

	// Add a client registration without a client identifier/secret attached.
	//TODO: Issuer uri should come from configuration
	options.AddRegistration(new OpenIddictClientRegistration
	{
		Issuer = new Uri(config.GetValue<string>("ServerEndPoints:AuthServer") ?? 
		throw new ConfigurationErrorsException("AuthServer endpoint is not defined in appsettings.json")
		, UriKind.Absolute)
	});


	var environment = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT");
	Console.WriteLine("Environment: {0}", environment);

});

The server side is basically the same as the example. This code runs when the authentication is not successful:

...
else //provider auth was not successful
{
	if (user is null) // not found in the db
	{
		//no luck, we return an error
		var properties = new AuthenticationProperties(new Dictionary<string, string?>
		{
			[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidGrant,
			[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "A felhasználónév vagy jelszó helytelen."
		});
		return Results.Forbid(properties);
	}
}

Can you help me how to start debugging this?

Thanks a lot,
Tamás

[kevinchalet]

Hey @tlencse,

I tried to run the openiddict-samples-dev\samples\Imynusoph\Imynusoph, which produced the same symptoms. Works fine with the right password, and gives a ProtocolException. However it is a little bit different, the ID this time is ID2147.

This is indeed the ID you should be getting (with ProtocolException.Error being invalid_grant) 👍🏻

When I provide the right password, everything is fine, I get the tokens. But when I provide a wrong password (or anything else is wrong), I get a ProtocolException with ID2162.

That resource ID is used as a last resort message when the returned HTTP status code doesn't indicate an error and the OpenIddict client was unable to extract a proper OIDC response from the HTTP response.

Can you please share your ASP.NET Core logs? Make sure to lower the default log level to Trace to capture all the details 😃

Cheers.

[tlencse]

Hi, thanks for the quick reply!

I am sending you all the code I can. Here is the code for registering the openiddict services:

		// Register the Identity services.
		services.AddIdentity<ApplicationUser, IdentityRole>()
			.AddEntityFrameworkStores<ApplicationDbContext>()
			.AddDefaultTokenProviders();

		services.AddOpenIddict()

			// Register the OpenIddict core components.
			.AddCore(options =>
			{
				// Configure OpenIddict to use the Entity Framework Core stores and models.
				// Note: call ReplaceDefaultEntities() to replace the default OpenIddict entities.
				options.UseEntityFrameworkCore(
					config =>
					{
						config.DisableBulkOperations();
						config.UseDbContext<ApplicationDbContext>();
					});
					   				

				// Enable Quartz.NET integration.
				options.UseQuartz();
			})

			// Register the OpenIddict server components.
			.AddServer(options =>
			{
				// Enable the token endpoint.
				options.SetAuthorizationEndpointUris("connect/authorize")
					   .SetEndSessionEndpointUris("connect/logout")
					   .SetIntrospectionEndpointUris("connect/introspect")
					   .SetTokenEndpointUris("connect/token")
					   .SetUserInfoEndpointUris("connect/userinfo")
					   .SetEndUserVerificationEndpointUris("connect/verify")
					   ;
				
				options.DisableAccessTokenEncryption();

				// Enable the password flow.
				options.AllowPasswordFlow()
						.AllowRefreshTokenFlow();

				// Accept anonymous clients (i.e clients that don't send a client_id).
				options.AcceptAnonymousClients();

				Console.WriteLine("Adding certificates from file..");

				var authOptions = Configuration.GetSection(AuthenticatorOptions.AuthenticatorSettings).Get<AuthenticatorOptions>();

				if (authOptions == null)
				{
					throw new ConfigurationErrorsException("AuthenticatorOptions is not defined in appsettings.json");
				}

				using var stream = new FileStream(
					authOptions.EncryptionCertFileName ?? throw new ConfigurationErrorsException("EncryptionCertFileName is not defined in appsettings.json"),
					FileMode.Open, FileAccess.Read);
				options.AddEncryptionCertificate(stream: stream, password: authOptions.EncryptionCertPassword);

				using var stream2 = new FileStream(
					authOptions.SigningCertFileName ?? throw new ConfigurationErrorsException("SigningCertFileName is not defined in appsettings.json"),
					FileMode.Open, FileAccess.Read);
				options.AddSigningCertificate(stream: stream2, password: authOptions.SigningCertPassword);



				var environment = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT");
				Console.WriteLine("Environment: {0}", environment);


				// Register the ASP.NET Core host and configure the ASP.NET Core-specific options.
				options.UseAspNetCore()
					   .EnableTokenEndpointPassthrough();
			});

Here is the the code that runs when the user is found in the DB, but could not be authenticated by AD:

//it is a db-only user, or a bad password was sent to the provider. We have to check the password in the db
var isDbOnlyUser = await _userManager.CheckPasswordAsync(user, request.Password ?? "");

if (isDbOnlyUser)
{
	finalUserRoles = await _userManager.GetRolesAsync(user);
}
else
{
	//no luck, we return an error
	_logger.LogError("Authentication failed, returning Forbid with a \"bad loginname or password\" message, but it is actually the password");
	var properties = new AuthenticationProperties(new Dictionary<string, string?>
	{
		[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidGrant,
		[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "A felhasználónév vagy jelszó helytelen."
	});
	return Results.Forbid(properties);
}

And here is the log after an unsuccessful login attempt:

2025-08-12T11:21:27.4803110+02:00	INFO	[Microsoft.EntityFrameworkCore.Database.Command]	[Microsoft.EntityFrameworkCore.Database.Command.CommandExecuted]	Executed DbCommand (38ms) [Parameters=[], CommandType='Text', CommandTimeout='30']
SELECT 1
2025-08-12T11:21:27.5320717+02:00	INFO	[Microsoft.EntityFrameworkCore.Database.Command]	[Microsoft.EntityFrameworkCore.Database.Command.CommandExecuted]	Executed DbCommand (32ms) [Parameters=[], CommandType='Text', CommandTimeout='30']

IF EXISTS
    (SELECT *
     FROM [sys].[objects] o
     WHERE [o].[type] = 'U'
     AND [o].[is_ms_shipped] = 0
     AND NOT EXISTS (SELECT *
         FROM [sys].[extended_properties] AS [ep]
         WHERE [ep].[major_id] = [o].[object_id]
             AND [ep].[minor_id] = 0
             AND [ep].[class] = 1
             AND [ep].[name] = N'microsoft_database_tools_support'
    )
)
SELECT 1 ELSE SELECT 0
2025-08-12T11:21:27.8607992+02:00	INFO	[Microsoft.EntityFrameworkCore.Database.Command]	[Microsoft.EntityFrameworkCore.Database.Command.CommandExecuted]	Executed DbCommand (42ms) [Parameters=[@__identifier_0='?' (Size = 100)], CommandType='Text', CommandTimeout='30']
SELECT TOP(1) [o].[Id], [o].[ApplicationType], [o].[ClientId], [o].[ClientSecret], [o].[ClientType], [o].[ConcurrencyToken], [o].[ConsentType], [o].[DisplayName], [o].[DisplayNames], [o].[JsonWebKeySet], [o].[Permissions], [o].[PostLogoutRedirectUris], [o].[Properties], [o].[RedirectUris], [o].[Requirements], [o].[Settings]
FROM [OpenIddictApplications] AS [o]
WHERE [o].[ClientId] = @__identifier_0
2025-08-12T11:21:27.9695278+02:00	INFO	[Microsoft.EntityFrameworkCore.Database.Command]	[Microsoft.EntityFrameworkCore.Database.Command.CommandExecuted]	Executed DbCommand (18ms) [Parameters=[@__name_0='?' (Size = 200)], CommandType='Text', CommandTimeout='30']
SELECT TOP(1) [o].[Id], [o].[ConcurrencyToken], [o].[Description], [o].[Descriptions], [o].[DisplayName], [o].[DisplayNames], [o].[Name], [o].[Properties], [o].[Resources]
FROM [OpenIddictScopes] AS [o]
WHERE [o].[Name] = @__name_0
2025-08-12T11:21:28.2664510+02:00	INFO	[Microsoft.Hosting.Lifetime]	[ListeningOnAddress]	Now listening on: https://localhost:58474
2025-08-12T11:21:28.2681216+02:00	INFO	[Microsoft.Hosting.Lifetime]	[ListeningOnAddress]	Now listening on: http://localhost:58475
2025-08-12T11:21:28.3462826+02:00	INFO	[Microsoft.Hosting.Lifetime]	[0]	Application started. Press Ctrl+C to shut down.
2025-08-12T11:21:28.3482602+02:00	INFO	[Microsoft.Hosting.Lifetime]	[0]	Hosting environment: Development
2025-08-12T11:21:28.3499623+02:00	INFO	[Microsoft.Hosting.Lifetime]	[0]	Content root path: C:\Users\tlencse\source\repos\ASRS\WCS.AuthService
2025-08-12T11:21:49.3733477+02:00	INFO	[OpenIddict.Server.OpenIddictServerDispatcher]	[0]	The request URI matched a server endpoint: Configuration.
2025-08-12T11:21:49.3970860+02:00	INFO	[OpenIddict.Server.OpenIddictServerDispatcher]	[0]	The configuration request was successfully extracted: {}.
2025-08-12T11:21:49.4039914+02:00	INFO	[OpenIddict.Server.OpenIddictServerDispatcher]	[0]	The configuration request was successfully validated.
2025-08-12T11:21:49.4296067+02:00	INFO	[OpenIddict.Server.OpenIddictServerDispatcher]	[0]	The response was successfully returned as a JSON document: {
  "issuer": "https://localhost:7003/",
  "authorization_endpoint": "https://localhost:7003/connect/authorize",
  "token_endpoint": "https://localhost:7003/connect/token",
  "introspection_endpoint": "https://localhost:7003/connect/introspect",
  "end_session_endpoint": "https://localhost:7003/connect/logout",
  "userinfo_endpoint": "https://localhost:7003/connect/userinfo",
  "jwks_uri": "https://localhost:7003/.well-known/jwks",
  "grant_types_supported": [
    "password",
    "refresh_token"
  ],
  "scopes_supported": [
    "openid",
    "offline_access"
  ],
  "claims_supported": [
    "aud",
    "exp",
    "iat",
    "iss",
    "sub"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "subject_types_supported": [
    "public"
  ],
  "prompt_values_supported": [
    "consent",
    "login",
    "none",
    "select_account"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt",
    "client_secret_basic"
  ],
  "introspection_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt",
    "client_secret_basic"
  ],
  "require_pushed_authorization_requests": false,
  "claims_parameter_supported": false,
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "tls_client_certificate_bound_access_tokens": false,
  "authorization_response_iss_parameter_supported": true
}.
2025-08-12T11:21:49.5436833+02:00	INFO	[OpenIddict.Server.OpenIddictServerDispatcher]	[0]	The request URI matched a server endpoint: JsonWebKeySet.
2025-08-12T11:21:49.5479568+02:00	INFO	[OpenIddict.Server.OpenIddictServerDispatcher]	[0]	The JSON Web Key Set request was successfully extracted: {}.
2025-08-12T11:21:49.5518583+02:00	INFO	[OpenIddict.Server.OpenIddictServerDispatcher]	[0]	The JSON Web Key Set request was successfully validated.
2025-08-12T11:21:49.5745133+02:00	INFO	[OpenIddict.Server.OpenIddictServerDispatcher]	[0]	The response was successfully returned as a JSON document: {
  "keys": [
    {
      "kid": "F66A75CDB456F97E098502EE8C7D9A9BD677714F",
      "use": "sig",
      "kty": "RSA",
      "alg": "RS256",
      "e": "AQAB",
      "n": "u-3QHeSvI7eGt9D5VW-Zn1lX0TE-DPIntHmf3rWHSMTq62jz7YOM6zYmMsDW-0fVrqOP3DPpFcd3sIE0iGscyHsKLTrB8Z2k-DM_bMkjKmFDgcYVwMP6L6ZJWKwybZisjZtWiosXCzADc_IgIPi4Ekl2fEGK6GG_75qkkm2YJa4pSwC3CX-ncSpozdkeOw2OETAzMekDkoPeHLxf5HHBL9Az5CBguUcUgJ50FXx-0_QhTpVBmwYdVToP3f32ow5KBJJRE1k9hK9KqHe8GxxUY-cDc5HiUIZnzvh_aChvqgc3iv0cdWZO7j6dJuwlpjxZm7EycUfm3IUmAszZStKV3Q",
      "x5t": "9mp1zbRW-X4JhQLujH2am9Z3cU8",
      "x5c": [
        "MIIDGzCCAgOgAwIBAgIIbVOZnd7FHm8wDQYJKoZIhvcNAQELBQAwMzExMC8GA1UEAxMoQVNSUyBXQ1MgQXV0aCBTZXJ2ZXIgU2lnbmluZyBDZXJ0aWZpY2F0ZTAgFw0yNTA2MjMyMTQ5MDVaGA8yMjI1MDYyMzIxNDkwNVowMzExMC8GA1UEAxMoQVNSUyBXQ1MgQXV0aCBTZXJ2ZXIgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALvt0B3kryO3hrfQ+VVvmZ9ZV9ExPgzyJ7R5n961h0jE6uto8+2DjOs2JjLA1vtH1a6jj9wz6RXHd7CBNIhrHMh7Ci06wfGdpPgzP2zJIyphQ4HGFcDD+i+mSVisMm2YrI2bVoqLFwswA3PyICD4uBJJdnxBiuhhv++apJJtmCWuKUsAtwl/p3EqaM3ZHjsNjhEwMzHpA5KD3hy8X+RxwS/QM+QgYLlHFICedBV8ftP0IU6VQZsGHVU6D9399qMOSgSSURNZPYSvSqh3vBscVGPnA3OR4lCGZ874f2gob6oHN4r9HHVmTu4+nSbsJaY8WZuxMnFH5tyFJgLM2UrSld0CAwEAAaMxMC8wDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBQcjkX2sRCJCMXrtUKtIbpqcmW6AzANBgkqhkiG9w0BAQsFAAOCAQEAeaxD6gwjQL16BFTvzd3p3R6/Gkws5NR2n0OyEylfZaQ1ttWh5ijf2OBuH9kRSL65pYViDQxhR4V8wlA1KUjYJOiPM0Fz2/WUA1T8FBcn4RyDATitsvJAdoyiOWdqLP7P+4/ERCttTRApV3G/moaL61dne6EzQFQVVX8amnxwjUFvx54TJoiKelKyE3qVVA27bd2baEn4t5JmF/XrzoMSHqFyOnsF2a29al1orlkLoldSKv8ynEYRwtJYR1+31lGRCuYXzu7QyVOxtewKmt1xyNevYGqew6Gx+VF0337pXcxPEutIBjC7tFIz4DAzFvcQHbOPPFCbby54/FAhMYiXpA=="
      ]
    }
  ]
}.
2025-08-12T11:21:49.6264932+02:00	INFO	[OpenIddict.Server.OpenIddictServerDispatcher]	[0]	The request URI matched a server endpoint: Token.
2025-08-12T11:21:49.6418396+02:00	INFO	[OpenIddict.Server.OpenIddictServerDispatcher]	[0]	The token request was successfully extracted: {
  "oploc_code": "33-WH",
  "grant_type": "password",
  "scope": "offline_access",
  "username": "tester",
  "password": "[redacted]"
}.
2025-08-12T11:21:49.6707662+02:00	INFO	[OpenIddict.Server.OpenIddictServerDispatcher]	[0]	The token request was successfully validated.
2025-08-12T11:21:49.7932755+02:00	INFO	[Microsoft.EntityFrameworkCore.Database.Command]	[Microsoft.EntityFrameworkCore.Database.Command.CommandExecuted]	Executed DbCommand (24ms) [Parameters=[@__normalizedUserName_0='?' (Size = 256)], CommandType='Text', CommandTimeout='30']
SELECT TOP(1) [a].[Id], [a].[AccessFailedCount], [a].[ConcurrencyStamp], [a].[DisplayName], [a].[Email], [a].[EmailConfirmed], [a].[LockoutEnabled], [a].[LockoutEnd], [a].[NormalizedEmail], [a].[NormalizedUserName], [a].[PasswordHash], [a].[PhoneNumber], [a].[PhoneNumberConfirmed], [a].[SecurityStamp], [a].[TwoFactorEnabled], [a].[UserName]
FROM [AspNetUsers] AS [a]
WHERE [a].[NormalizedUserName] = @__normalizedUserName_0
2025-08-12T11:21:52.1634558+02:00	INFO	[Microsoft.EntityFrameworkCore.Database.Command]	[Microsoft.EntityFrameworkCore.Database.Command.CommandExecuted]	Executed DbCommand (12ms) [Parameters=[], CommandType='Text', CommandTimeout='30']
SELECT [a].[Id]
FROM [AspNetRoles] AS [a]
2025-08-12T11:21:52.1845491+02:00	FAIL	[WCS.AuthService.Services.AuthorizationService]	[0]	Authentication failed, returning Forbid with a "bad loginname or password" message, but it is actually the password

[kevinchalet]

FYI, your logs unfortunately don't contain all the needed traces (the log level needs to be lowered to Trace to capture everything).

That said, I think I know why it's not working: you don't specify the authentication scheme when calling Results.Forbid(). Try that instead:

var properties = new AuthenticationProperties(new Dictionary<string, string?>
{
    [OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidGrant,
    [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "A felhasználónév vagy jelszó helytelen."
});

return Results.Forbid(properties, [OpenIddictServerAspNetCoreDefaults.AuthenticationScheme]);

Note: the OAuth 2.0 specification doesn't allow non-ASCII chars in errors/error descriptions. If you want to stay standard-compliant, I'd recommend returning English-localized error descriptions.

Cheers.

[tlencse]

Thanks for the tip! I added AuthenticationScheme to the Forbid call, and now the exception on the client is slightly different, not 500 anymore, but it is not the thing that I return either. This is the exception that comes from OpenIddict.Client:

{"An error occurred while authenticating the user.\r\n  Error: invalid_grant\r\n  Error description: The token request was rejected by the remote server.\r\n  Error URI: https://documentation.openiddict.com/errors/ID2147"}
    Data: {System.Collections.ListDictionaryInternal}
    Error: "invalid_grant"
    ErrorDescription: "The token request was rejected by the remote server."
    ErrorUri: "https://documentation.openiddict.com/errors/ID2147"
    HResult: -2146233088
    HelpLink: null
    InnerException: null
    Message: "An error occurred while authenticating the user.\r\n  Error: invalid_grant\r\n  Error description: The token request was rejected by the remote server.\r\n  Error URI: https://documentation.openiddict.com/errors/ID2147"
    Source: "OpenIddict.Client"
    StackTrace: "   at OpenIddict.Client.OpenIddictClientService.<AuthenticateWithPasswordAsync>d__15.MoveNext()\r\n   at OpenIddict.Client.OpenIddictClientService.<AuthenticateWithPasswordAsync>d__15.MoveNext()\r\n   at System.Threading.Tasks.ValueTask`1.get_Result()\r\n   at WCS.Client.Services.TokenService.<AuthenticateWithPasswordAsync>d__15.MoveNext() in C:\\Users\\tlencse\\source\\repos\\WCS\\WCS.Client.Services\\Services\\TokenService.cs:line 60\r\n   at WCS.Client.Services.AccessService.<LoginAsync>d__22.MoveNext() in C:\\Users\\tlencse\\source\\repos\\WCS\\WCS.Client.Services\\Services\\AccessService.cs:line 29\r\n   at WCS.Client.ViewModels.LoginViewModel.<LoginAsync>d__11.MoveNext() in C:\\Users\\tlencse\\source\\repos\\WCS\\WCS.Client\\ViewModels\\LoginViewModel.cs:line 95"
    TargetSite: {Void MoveNext()}

The trace logging was actually set, but I did not get more info in the logs. Maybe I scewed up sg. I tried again and this time I got slighty more info in the logs. A snippet from the appsettings.json:

	"Logging": {
		"Console": {
			"TimestampFormat": "[yyMMdd:HH:mm:ss.fff] "
		},
		"File": {
			"Path": "c:\\TEMP\\WCS.AuthService\\AuthSrv_{0:yyyy}-{0:MM}-{0:dd}.log",
			"Append": true,
			"FileSizeLimitBytes": 0, // use to activate rolling file behaviour
			"MaxRollingFiles": 0 // use to specify max number of log files
		},
		"LogLevel": {
			"Default": "Trace",
			"Microsoft.AspNetCore": "Trace"
		}
	},

Logs:

info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The request URI matched a server endpoint: Token.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The token request was successfully extracted: {
        "oploc_code": "33-WH",
        "grant_type": "password",
        "scope": "offline_access",
        "username": "tester",
        "password": "[redacted]"
      }.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The token request was successfully validated.
info: Microsoft.EntityFrameworkCore.Database.Command[20101]
      Executed DbCommand (14ms) [Parameters=[@__normalizedUserName_0='?' (Size = 256)], CommandType='Text', CommandTimeout='30']
      SELECT TOP(1) [a].[Id], [a].[AccessFailedCount], [a].[ConcurrencyStamp], [a].[DisplayName], [a].[Email], [a].[EmailConfirmed], [a].[LockoutEnabled], [a].[LockoutEnd], [a].[NormalizedEmail], [a].[NormalizedUserName], [a].[PasswordHash], [a].[PhoneNumber], [a].[PhoneNumberConfirmed], [a].[SecurityStamp], [a].[TwoFactorEnabled], [a].[UserName]
      FROM [AspNetUsers] AS [a]
      WHERE [a].[NormalizedUserName] = @__normalizedUserName_0
info: Microsoft.EntityFrameworkCore.Database.Command[20101]
      Executed DbCommand (15ms) [Parameters=[], CommandType='Text', CommandTimeout='30']
      SELECT [a].[Id]
      FROM [AspNetRoles] AS [a]
fail: Teva.ASRS.WCS.AuthService.Services.AuthorizationService[0]
      Authentication failed, returning Forbid with a "bad loginname or password" message, but it is actually the password
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The response was successfully returned as a JSON document: {
        "error": "invalid_grant",
        "error_description": "A felhaszn�l�n�v vagy jelsz� helytelen.",
        "error_uri": "https://documentation.openiddict.com/errors/ID2024"
      }.
info: OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandler[13]
      AuthenticationScheme: OpenIddict.Server.AspNetCore was forbidden.

Note: the OAuth 2.0 specification doesn't allow non-ASCII chars in errors/error descriptions. If you want to stay standard-compliant, I'd recommend returning English-localized error descriptions.

Yeah, I know it is far from elegant to do this from an API. However this is not a public API, and I have given up on collecting and making resource ids for all the error messages, so we opted for nationalizing the ones that will be read by the end user. I trusted that these messages would be converted to ascii when serialized to json. Again, thank you for helping with my problem!

[kevinchalet]

but it is not the thing that I return either.

It's the expected behavior: the OpenIddict client deliberately doesn't flow the error description from the server up to the caller of the Authenticate*Async() APIs (many servers return totally useless error descriptions that aren't actionable and I try hard not to reflect potentially unsafe descriptions that may contain user-set values server-side). It also only accepts a limited list of standard errors and uses server_error for unrecognized error codes:

openiddict-core/src/OpenIddict.Client/OpenIddictClientHandlers.Exchange.cs

Lines 92 to 143 in 4902658

	/// <summary>
	/// Contains the logic responsible for surfacing potential errors from the token response.
	/// </summary>
	public sealed class HandleErrorResponse : IOpenIddictClientHandler<HandleTokenResponseContext>
	{
	/// <summary>
	/// Gets the default descriptor definition assigned to this handler.
	/// </summary>
	public static OpenIddictClientHandlerDescriptor Descriptor { get; }
	= OpenIddictClientHandlerDescriptor.CreateBuilder<HandleTokenResponseContext>()
	.UseSingletonHandler<HandleErrorResponse>()
	.SetOrder(ValidateWellKnownParameters.Descriptor.Order + 1_000)
	.SetType(OpenIddictClientHandlerType.BuiltIn)
	.Build();
	/// <inheritdoc/>
	public ValueTask HandleAsync(HandleTokenResponseContext context)
	{
	if (context is null)
	{
	throw new ArgumentNullException(nameof(context));
	}
	// For more information, see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2.
	if (!string.IsNullOrEmpty(context.Response.Error))
	{
	context.Logger.LogInformation(6206, SR.GetResourceString(SR.ID6206), context.Response);
	context.Reject(
	error: context.Response.Error switch
	{
	Errors.AccessDenied => Errors.AccessDenied,
	Errors.AuthorizationPending => Errors.AuthorizationPending,
	Errors.ExpiredToken => Errors.ExpiredToken,
	Errors.InvalidClient => Errors.InvalidClient,
	Errors.InvalidGrant => Errors.InvalidGrant,
	Errors.InvalidScope => Errors.InvalidScope,
	Errors.InvalidRequest => Errors.InvalidRequest,
	Errors.SlowDown => Errors.SlowDown,
	Errors.UnauthorizedClient => Errors.UnauthorizedClient,
	Errors.UnsupportedGrantType => Errors.UnsupportedGrantType,
	_ => Errors.ServerError
	},
	description: SR.GetResourceString(SR.ID2147),
	uri: SR.FormatID8000(SR.ID2147));
	return default;
	}
	return default;
	}
	}

That said, I'd strongly discourage you from directly returning the error details to the user.
Instead, consider doing something like that:

try
{
    var result = await service.AuthenticateWithPasswordAsync(new()
    {
        Username = email,
        Password = password,
        Scopes = [Scopes.OfflineAccess]
    });

    return (result.AccessToken, result.RefreshToken);
}

catch (ProtocolException exception) when (exception.Error is Errors.InvalidGrant)
{
    Console.WriteLine("A felhasználónév vagy jelszó helytelen.");
}

This way, you could return a standard-compliant/English error message and use a fully localized string client-side.

[tlencse]

I already do almost exacly what you suggeted, but there are many points of failure in the login process (it syncs the users groups and roles from AD), so I thought I would return something like a code to the user that could be read back to the support (me), so I have a better picture of why the user cannot log in. It is a bit more tricky to access and search the service logs. Anyway, thanks for the help, I will find out something to inform the admins about these problems.