OAuth 2.0 Password Grant

tools.ietf.org/html/rfc6749#section-1.3.3

The Password grant type is a way to exchange a user's credentials for an access token. Because the client application has to collect the user's password and send it to the authorization server, it is not recommended that this grant be used at all anymore.

This flow provides no mechanism for things like multifactor authentication or delegated accounts, so is quite limiting in practice.

The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely.

More resources