diff --git a/src/Stormpath.Owin.Middleware/Model/Error/OauthInvalidRequest.cs b/src/Stormpath.Owin.Middleware/Model/Error/OauthInvalidRequest.cs
index 97830ad..179c4ae 100644
--- a/src/Stormpath.Owin.Middleware/Model/Error/OauthInvalidRequest.cs
+++ b/src/Stormpath.Owin.Middleware/Model/Error/OauthInvalidRequest.cs
@@ -27,5 +27,14 @@ public OauthInvalidRequest()
                 error = "invalid_request"
             };
         }
+
+        public OauthInvalidRequest(string errorDescription)
+        {
+            Body = new
+            {
+                error = "invalid_request",
+                error_description = errorDescription
+            };
+        }
     }
 }
diff --git a/src/Stormpath.Owin.Middleware/Route/Oauth2Route.cs b/src/Stormpath.Owin.Middleware/Route/Oauth2Route.cs
index b454b2e..8114ab9 100644
--- a/src/Stormpath.Owin.Middleware/Route/Oauth2Route.cs
+++ b/src/Stormpath.Owin.Middleware/Route/Oauth2Route.cs
@@ -113,6 +113,12 @@ private async Task<bool> ExecutePasswordFlow(IOwinEnvironment context, string us
             var jsonErrorHandler = new Func<string, CancellationToken, Task>((message, ct)
                 => Error.Create(context, new BadRequest(message), ct));
 
+            if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password))
+            {
+                await Error.Create(context, new OauthInvalidRequest("Missing username or password"), cancellationToken);
+                return true;
+            }
+
             var (grantResult, user) = await executor.PasswordGrantAsync(
                 context,
                 jsonErrorHandler,