diff --git a/authentik/core/migrations/0031_alter_user_type.py b/authentik/core/migrations/0031_alter_user_type.py
index 9140a4e39..b0f83b41c 100644
--- a/authentik/core/migrations/0031_alter_user_type.py
+++ b/authentik/core/migrations/0031_alter_user_type.py
@@ -17,6 +17,7 @@ def migrate_user_type_v2(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
         user.type = UserTypes.INTERNAL
         user.save()
 
+
 class Migration(migrations.Migration):
     dependencies = [
         ("authentik_core", "0030_user_type"),
diff --git a/authentik/providers/oauth2/tests/test_token_cc.py b/authentik/providers/oauth2/tests/test_token_cc.py
index 7dc086ba0..8becccb95 100644
--- a/authentik/providers/oauth2/tests/test_token_cc.py
+++ b/authentik/providers/oauth2/tests/test_token_cc.py
@@ -11,6 +11,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_cert,
 from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.constants import (
     GRANT_TYPE_CLIENT_CREDENTIALS,
+    GRANT_TYPE_PASSWORD,
     SCOPE_OPENID,
     SCOPE_OPENID_EMAIL,
     SCOPE_OPENID_PROFILE,
@@ -150,3 +151,28 @@ class TestTokenClientCredentials(OAuthTestCase):
         )
         self.assertEqual(jwt["given_name"], self.user.name)
         self.assertEqual(jwt["preferred_username"], self.user.username)
+
+    def test_successful_password(self):
+        """test successful (password grant)"""
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            {
+                "grant_type": GRANT_TYPE_PASSWORD,
+                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
+                "client_id": self.provider.client_id,
+                "username": "sa",
+                "password": self.token.key,
+            },
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content.decode())
+        self.assertEqual(body["token_type"], TOKEN_TYPE)
+        _, alg = self.provider.jwt_key
+        jwt = decode(
+            body["access_token"],
+            key=self.provider.signing_key.public_key,
+            algorithms=[alg],
+            audience=self.provider.client_id,
+        )
+        self.assertEqual(jwt["given_name"], self.user.name)
+        self.assertEqual(jwt["preferred_username"], self.user.username)
diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py
index 0e4a50238..dc08eb526 100644
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@@ -459,13 +459,13 @@ class TokenView(View):
                 if self.params.grant_type == GRANT_TYPE_REFRESH_TOKEN:
                     LOGGER.debug("Refreshing refresh token")
                     return TokenResponse(self.create_refresh_response())
-                if self.params.grant_type == GRANT_TYPE_CLIENT_CREDENTIALS:
-                    LOGGER.debug("Client credentials grant")
+                if self.params.grant_type in [GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD]:
+                    LOGGER.debug("Client credentials/password grant")
                     return TokenResponse(self.create_client_credentials_response())
                 if self.params.grant_type == GRANT_TYPE_DEVICE_CODE:
                     LOGGER.debug("Device code grant")
                     return TokenResponse(self.create_device_code_response())
-                raise ValueError(f"Invalid grant_type: {self.params.grant_type}")
+                raise TokenError("unsupported_grant_type")
         except (TokenError, DeviceCodeError) as error:
             return TokenResponse(error.create_dict(), status=400)
         except UserAuthError as error: