0👍
The issue was simple misconfiguration and misusage, which resulted in an ambiguous behaviour.
This works:
- base64-encoded ‘Authorization’ header (
client_id:client_secret) - Make sure the application settings set to ‘resource owner password-based’. Note, that it can not be ‘Public’,
client_secretis absolutely required for this flow.
Source:stackexchange.com