Although the application has access to the resource owner’s password, there are still some security benefits to using this flow versus authenticating API calls with a username and password (via HTTP Basic access authentication or similar). With Basic authentication, an application needs to have continuous access to the user’s password in order to make API calls. It also requires the user change their password and reenter the new password in all applications which require it, should the user no longer want an application to have access to their data.

However, if the OAuth Resource Owner Password flow is used, the application only needs access to the user’s credentials once: on first use when the credentials are exchanged for an access token. This means there’s no requirement for the app to store these credentials within the application or on the device, and revoking access is easy as well.