RH-SSO server returns the invalid_grant error response when a client sent requests with grant_type=password when the Direct Access Grant is disabled.
According to RFC6749, it seems to be better to return the unauthorized_client error response.
5.2. Error Response
The authorization server responds with an HTTP 400 (Bad Request)
status code (unless specified otherwise) and includes the following
parameters with the response:
REQUIRED. A single ASCII [USASCII] error code from the
The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
The authenticated client is not authorized to use this
authorization grant type.