I am trying to use Oauth 2 to authorize users from a mobile app to a trusted authentication/resource api. They will enter their username and password in the app and the resource will return an access token which can be used in subsequent requests.
According to https://alexbilbie.com/guide-to-oauth-2-grants/#resource-owner-credentials-grant-section-43, I need to use grant type 'password', and with this flow, I need to also send client_id and client_secret. I'm just a bit confused on where those two values are supposed to be generated from in this flow?
I’ve also seen other sites say that with this flow you DON’T actually need client_id and client_secret, and another site mentioned you only need client_id. A bit confused on what is the correct implementation here.