Brian Demers
There are a lot of questions packed into this 
The latest draft spec of the OAuth Best Practices, says to NOT use ROPC
https://tools.ietf.org/html…
Okta has an Authentication API (authn) which can be used for migration cases and situations where a redirect cannot be used (we have mobile SDKs for this too). This option is NOT OAuth, but Okta provides an OAuth extension where you can exchange an Authn session token for an OAuth access token (when needed).
Of course, in general, I’d usually recommend a the auth code flow with PKCE. In general it usually less work to implement and contains less risk (i.e. your application never touches the user’s credentials).