I'm using Keycloak 3.4 with Active directory (for user federation) to protect my Api, the system is configured to use the Resource Owner Password Credentials flow. When a user password is expired I’m just getting Invalid user credentials error.
Is their any way to return the appropriate error message message, something like user user password expired ?
Answering my own question, the solution was to extend MSADUserAccountControlsMapper to throw the appropriate exception then catch it in a subclass of AbstractUsernameFormAuthenticator.