Using Passport to authenticate javascript application user

I have a few questions regarding Passport's "Password Grant Tokens" that I am hoping someone can answer. I will start by explaining what I am attempting to do.

We are in the process of refactoring our existing laravel web application into a service oriented architecture that will be consumed by a web browser using javascript and vuejs for templating. The api will contain public endpoints, and private endpoints. To secure the private endpoints we have decided to use OAuth2 via Laravel's Passport package.

Our current application uses laravel's standard authentication flow (user provides email/password, web app verifies, creates session, and sends session id in cookie). We will require the same functionality moving forward, except instead of creating a session, issuing an access_token to the user to be used during subsequent requests.

After days of researching OAuth2 (and reading a book!...yeah a book!) I am still semi-confused as to how this should be implemented. From what I have read, it would seem that in order to authenticate a user from our javascript web application we would want to use the "Password Grant Tokens" functionality of passport. If this is so, I have the following questions:

$response = $http->post('http://your-app.com/oauth/token', [
    'form_params' => [
        'grant_type' => 'password',
        'client_id' => 'client-id',
        'client_secret' => 'client-secret',
        'username' => '[email protected]',
        'password' => 'my-password',
        'scope' => '',
    ],
]);

1. In the example code above, a 'client_secret' appears to be required. Why is this? Various articles I have read (example article) state that the password grant type only requires the 'client_id' so to allow mobile and desktop apps a way to authenticate users in the manner I have described above.
2. Where do the 'username' and 'password' parameters live? The passport db schema includes the following tables: 'oauth_clients', 'oauth_personal_access_clients', 'oauth_refresh_tokens', 'oauth_auth_codes', 'oauth_access_tokens'. I do not see columns in any of these tables that would store a username/password pair other than maybe the 'oauth_clients' table, but is this table not for third party registered applications?
3. How are specific users tracked within the above OAuth tables? For example, a user might have three different access tokens, but how do I know which user those tokens relate to? I assume that our api should be tracking this separately from the OAuth server ie: have a child table of users table that stores access tokens for users, but then if the user is making the call from javascript to the oauth server and being issued a token, how would our api know this happened? Maybe this is where a proxy script would come into play? Instead of javascript accessing the oauth server directly, it would access an endpoint on our api which forwards the username/password to the oauth server (this could also be where we include the client-secret voiding my first question)?

Some of these questions I am sure come from my lack of experience with OAuth. If someone could be kind enough to fill in the gaps I'm missing, I would be more than grateful.

If I have been unclear about what I am asking, or if further explanation is required just ask, as I will be more than happy to provide additional details.