The Resource Owner Password Credentials grant type should be used for a highly trusted client, because it handles the user credentials directly. In other words, this grant type should only be used when there is plenty of certainty and faith between the Resource owner and the Client. Mostly, the client will be a first-party application. The credentials will be used by the Client directly, to interact with the Authorization Server and get an access token. The flow can be described with the following diagram:

This flow can be described as follows:

1. The Client is highly trusted, so it will directly ask the Resource Owner to provide credentials. The Client could be a highly indulged application.
2. The credentials will be sent by the Client to the Authorization Server. The Client will also send its own identity to the Authorization Server. In response, the Authorization Server will send back the access token, and optionally, a refresh token.
3. The access token is used by the client to access the protected resources of the Resource Server.