The easiest way to fix is using postman collection from here https://github.com/auth0/postman-collections, look for Get Access Token/Resourse Owner Password request. Pay attention that client_id and other keys are set in request body but not Params, except Content-Type which is set in header.