1. create custom auth module which throws custom auth failure message
2. register and deploy to OpenAM
3. configure auth module instance on admin console
4. request access token with grant_type=password and intentionally pass wrong password for resource owner.
It always returns the same message and ignores what's been thrown from custom auth
The example above is using custom auth, but it's the same with any auth module where error messages are things like user account locked etc.
It will be nice if OpenAM could check error message thrown from auth and return that message.