Description
Symfony includes the translation of Security exception messages ... but they are not used automatically.

For example, if you build a custom Guard-based login mechanism ... UsernamePasswordJsonAuthenticationListener can return return new JsonResponse(['error' => $failed->getMessageKey()], 401); and you get Bad credentials. message in English, regardless of the current application locale.

Is this correct? Look at PHPdoc:

   /**
     * Message key to be used by the translation component.
     *
     * @return string
     */
    public function getMessageKey()

So, this is meant to be translated. Should we do it?

In the login form docs we translate this manually:

   {% if error %}
        <div class="alert alert-danger">{{ error.messageKey|trans(error.messageData, 'security') }}</div>
    {% endif %}

Should this message come translated instead?