@rahulyamgar 

Please find the responses below

1.If we need to send the username and password in grant_type=password requests, to get the access token and refresh token, how is it different than using the Basic Authentication?

- There are few benefits of OAuth over Basic Auth

• Using OAuth 2.0 username & password is being limited number of times
• Access tokens are revoked after particular amount of time i.e. lifespan so they are harder to re-use
• Widely used by most of the 3rd party applications

2. If we used grant_type=password mechanism, how can we ensure that sender/client is using the refresh token to generate the access token and not the username & password to get the access token ?

- Once Access Token is expired and Refresh Token is still valid you should use Refresh Token to generate fresh Access Token using grant_type=refresh_token. This ensures you need not send the username and password again.

- But this doesn't stop the 3rd party from using the grant_type=password again to generate the Access Token. if the Refresh token is still valid then they will get the same refresh token but new access token if access token is expired.

- Getting the very 1st Access Token will always require the username and password that is how OAuth is defined for grant_type=password flow

3. What is the common/best practice in  implementing the OAuth - To provide user name and password to client to generate access token or ServiceNow administrator can generate the access and refresh token and provide the same to the Client?

- The Access Token and Refresh Token should be generated by 3rd party only. If you keep a system admin who does this job then that doesn't hold a valid scenario as OAuth flow should happen between 2 systems/applications without manual intervention. Though this can be done should be avoided

Hope this helps

Regards
Ankur