This is extremely helpful. Thanks @jmangelo
Quick follow-up. We are hitting /oauth/ro based on an Ionic 2 quickstart, which used the Auth0 Lock JS, which hit this endpoint. I see that quickstart has now drastically changed to use PKCE.
Given that this is our current state, would we be able to have the user to log in via /oauth/ro, and then hit this resource owner password credentials endpoint with something other than the username & password? Effectively trade in a token to get an API access token? We wouldn’t use JS to make this call since the secret is involved.