In resource owner password credentials flow, the client authenticates the user by taking the resource owner's username and password through a login interface. It can be used for both access tokens, and refresh tokens and it involves client authentication:
- Resource owner enters the username and password in the client's app login screen.
- Username and password are passed to the authorization server to authenticate the user.
- If the user is authenticated, the authorization server returns the access token.
- This access token can be used by the client to access authorized resources.
This type of flow is not recommended to be used for non-trusted sites, as user credentials are exposed to the client application.