The Resource-Owner Password Grant can only be executed when the authorization server (in this case, Auth0) has access to the username and password of the account. For Google Social accounts, we actually federate into Google. I wrote an answer for this yesterday that you might find helpful: