There's more...

Besides the fact that we should avoid this grant type, it's not a problem if you use it when interacting with one server that belongs to the same domain of the client application. That is to say, that both client and OAuth 2.0 Provider belong to the same solution as well. As it comprises of the same application divided between the client and server, the users can trust sharing the credentials because it belongs to the same application. The only important thing to mention is that, as the client application, it must throw away the client's username and password required to obtain an access token.

Once again, do not forget to use TLS/SSL when running such solutions described by this recipe in production.