Can we still using the esource Owner Password Credentials Grant？

[ioniconline]

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-13#section-3.4

3.4. Resource Owner Password Credentials Grant

The resource owner password credentials grant MUST NOT be used. This
grant type insecurely exposes the credentials of the resource owner
to the client. Even if the client is benign, this results in an
increased attack surface (credentials can leak in more places than
just the AS) and users are trained to enter their credentials in
places other than the AS.

Furthermore, adapting the resource owner password credentials grant
to two-factor authentication, authentication with cryptographic
credentials, and authentication processes that require multiple steps
can be hard or impossible (WebCrypto, WebAuthn).

[n2ygk]

Good question. We should deprecate/remove this as we did for oob. Think of 2.0.0 as the start of getting to the OAuth 2 BCP/OAuth 2.1.

[dopry]

@ioniconline yes this feature is still available as it is part of the OAuth spec, even though it isn't best practice.

@n2ygk I feel like we should modify the docs and help text to clearly mark this is not a best practice, but I don't feel we can remove it and still claim standards compliance for a wider audience or adversely impact people who are using it for first party auth or other legacy reasons in their infrastructure. Do we want to spin up a separate task for this work or update the OP with some implementation direction?