Both client_id and client_secret are not used in the password flow. However, as you are probably aware, OAuth2 has other flows, suited for other scenarios.
Namely:
-
the authorization code flow used in web apps that authenticate users server side. The client_id is used in the initial redirect, the client_secret is used in the last step where the app exchanges the one time code for a token.
-
the client credentials flow used to authenticate applications rather than individual users
A concise reference of all various flows: https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified