grant_type=password)This flow is “deprecated” and not even included in OAuth2.1 but is still a critical part of most enterprise authentication strategies where the control of both the application front end and back end are controlled entirely by that enterprise. The argument that username and password is an “anti-pattern” is almost entirely built on the risk of the “client” (front end, binary) being untrusted. This argument collapses when that control is gauranteed.