As per OAuth Specs, for Resource Owner Flow, you can call /token resource without having to provide client secret,
only username, password, grant_type, scope and client id.
client secret should be optional.
How to configure resource owner flow application that has the client secret as optional.
I have created an Native app, and allowed the resource owner password, but when calling /token API, it always reject the request with the below error:
“error_description”: “Client authentication failed. Either the client or the client credentials are invalid.”
Also as per OKTA blog, client secret should be optional for Resource Owner Flow: