diff --git a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/AbpErrorDescriptionConsts.cs b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/AbpErrorDescriptionConsts.cs
new file mode 100644
index 00000000000..93839fa6e39
--- /dev/null
+++ b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/AbpErrorDescriptionConsts.cs
@@ -0,0 +1,8 @@
+namespace Volo.Abp.OpenIddict;
+
+public static class AbpErrorDescriptionConsts
+{
+    public const string RequiresTwoFactor = "RequiresTwoFactor";
+
+    public const string RequiresConfirmUser = "RequiresConfirmUser";
+}
diff --git a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/TokenController.Password.cs b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/TokenController.Password.cs
index 470debf115c..392e696d08a 100644
--- a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/TokenController.Password.cs
+++ b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/TokenController.Password.cs
@@ -127,7 +127,12 @@ await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext
                             return await HandlePeriodicallyChangePasswordAsync(request, user, request.Password);
                         }
 
-                        errorDescription = "You are not allowed to login! Your account is inactive or needs to confirm your email/phone number.";
+                        if (user.IsActive)
+                        {
+                            return await HandleConfirmUserAsync(request, user);
+                        }
+
+                        errorDescription = "You are not allowed to login! Your account is inactive.";
                     }
                     else
                     {
@@ -235,7 +240,7 @@ await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext
                 items: new Dictionary<string, string>
                 {
                     [OpenIddictServerAspNetCoreConstants.Properties.Error] = OpenIddictConstants.Errors.InvalidGrant,
-                    [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = nameof(SignInResult.RequiresTwoFactor)
+                    [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = AbpErrorDescriptionConsts.RequiresTwoFactor
                 },
                 parameters: new Dictionary<string, object>
                 {
@@ -337,6 +342,26 @@ await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext
         }
     }
 
+    protected virtual Task<IActionResult> HandleConfirmUserAsync(OpenIddictRequest request, IdentityUser user)
+    {
+        Logger.LogInformation($"{request.Username} needs to confirm email/phone number");
+
+        var properties = new AuthenticationProperties(
+            items: new Dictionary<string, string>
+            {
+                [OpenIddictServerAspNetCoreConstants.Properties.Error] = OpenIddictConstants.Errors.InvalidGrant,
+                [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = AbpErrorDescriptionConsts.RequiresConfirmUser
+            },
+            parameters: new Dictionary<string, object>
+            {
+                ["userId"] = user.Id.ToString("N"),
+                ["email"] = user.Email,
+                ["phoneNumber"] = user.PhoneNumber ?? ""
+            });
+
+        return Task.FromResult<IActionResult>(Forbid(properties, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme));
+    }
+
     protected virtual async Task<IActionResult> SetSuccessResultAsync(OpenIddictRequest request, IdentityUser user)
     {
         // Clear the dynamic claims cache.