Merge pull request #561 from freeduerinckx/invalid-grant-should-respond-with-400

`invalid_grant` status code should be 400

2 files changed, 4 insertions, 2 deletions

diff --git a/oauthlib/oauth2/rfc6749/errors.py b/oauthlib/oauth2/rfc6749/errors.py
index d17e08e..8c8bda3 100644
--- a/oauthlib/oauth2/rfc6749/errors.py
+++ b/oauthlib/oauth2/rfc6749/errors.py
@@ -246,9 +246,11 @@ class InvalidGrantError(OAuth2Error):
     owner credentials) or refresh token is invalid, expired, revoked, does
     not match the redirection URI used in the authorization request, or was
     issued to another client.
+
+    https://tools.ietf.org/html/rfc6749#section-5.2
     """
     error = 'invalid_grant'
-    status_code = 401
+    status_code = 400
 
 
 class UnauthorizedClientError(OAuth2Error):
diff --git a/tests/oauth2/rfc6749/grant_types/test_refresh_token.py b/tests/oauth2/rfc6749/grant_types/test_refresh_token.py
index 21540a2..f055c7d 100644
--- a/tests/oauth2/rfc6749/grant_types/test_refresh_token.py
+++ b/tests/oauth2/rfc6749/grant_types/test_refresh_token.py
@@ -109,7 +109,7 @@ class RefreshTokenGrantTest(TestCase):
         token = json.loads(body)
         self.assertEqual(self.mock_validator.save_token.call_count, 0)
         self.assertEqual(token['error'], 'invalid_grant')
-        self.assertEqual(status_code, 401)
+        self.assertEqual(status_code, 400)
 
     def test_invalid_client(self):
         self.mock_validator.authenticate_client.return_value = False