The documentation is okay, but it has some holes, and I had to read it many many times and play with the API myself to "get it" in terms of implementation. So here is a guide that I hope will help someone along the way.
DISCLAIMER: This is by no means the canonical or the most secure way to do this. Below are my findings upon my reading of the docs and the spec. But I might be wrong, very wrong.
This gist is meant to complement the documentation in https://getkong.org/plugins/oauth2-authentication/.
The Resource Owner Password Credentials Grant makes sense if we want to authenticate users who are using our trusted 1st party applications of our own service. (However, you might not want to trust your JavaScript SPA with your refresh token, and maybe you need to store that refresh token in the server on behalf of the SPA if you are paranoid about security. Disclaimer: I am not a security expert)