Again, this is another simple type that can be easily used, but it is considered the most insecure of all. In this grant type, the resource owner (user) has to key their credentials directly into the client application interface (remember, the client application has access to the resource owner's credentials). The credentials are then used by the client application to send to the authorization server to get the Access Token. This grant type only works if the resource owner fully trusts the application through which they give their credentials to the service provider, as these credentials pass through the application server of the client application (they can therefore be stored, if the client application decides to).