Appendix A. Resource Owner Password Credentials Grant
The resource owner password credentials grant is an additional grant type supported by the OAuth 2.0 specification. It isn't commonly used or supported by service providers due to its low level of security. In a nutshell, this grant type operates by utilizing the user's actual credentials to gain an access token. This is in stark contrast to the other grant types, where the client application is completely unaware of the user's credentials. However, in this grant type, users send their credentials to the client application to use on their behalf to access protected resources.
Once the client application has a user's credentials, it uses them to gain an access token, just as in the other grant types. In this sense, risk is mitigated slightly, compared to using the credentials directly, since tokens have limited scope and duration (unlike passwords). However, the passing and delegation of user credentials is...
