p2
Username and password memory persistence
In the password grant, username and password should not be persisted in memory after using tryCredentials(username:password:). In the case of short lived access/refresh tokens, the grant instance uses the username and password persisted in memory to request a new access token instead of presenting the login controller for the user to re-enter credentials.
The client should not persist these for future use according to RFC 6749 1.3.3.
Even though this grant type requires direct client access to the resource owner credentials, the resource owner credentials are used for a single request and are exchanged for an access token. This grant type can eliminate the need for the client to store the resource owner credentials for future use, by exchanging the credentials with a long-lived access token or refresh token.
