I've been working with OAuth 2 for 7 years and I still don't really understand all the dark corners of the spec. Good to see Resource Owner grant type get called out for a "Do not use", although I dont think using it in a private, server side context is off the cards...