For several years, Username-Password Flow used to be a simple and preferred approach for Server-to-Server Integration. We have been using this for Integrating Salesforce with other applications.
Salesforce finally decided to discontinue support for this flow and recommends using Client-Credential or JWT based authentication as they are more secure. Recently one of my team members got an error “Username-Password Flow Disabled”
This exception was thrown in a new Salesforce Org. This error was returned even after updating the setting “Allow OAuth Username-Password Flows” in “OAuth and OpenID Connect Settings”.
Salesforce is still supporting Username-Password Flow for supporting legacy integration design but if you are creating a new connected app for your integration requirements then this is the time to stop using it. This is one of the technical debts we are going to work on soon.
If not Username-Password Flow, then what should we use?
If you have been using Username-Password Flow, then I would recommend using OAuth 2.0 Client Credentials Flow as it is simple and relatively secure, and you may require making little change in your client application. Other option would be to use OAuth 2.0 JWT Bearer Flow, but you need a certificate and key, and your client application requires significant changes.
Summary
If you are working on an integration project and creating a connected application to support authentication and authorization for Server-to-Server Integration, do not introduce a Technical Debt and use OAuth 2.0 Client Credentials Flow or OAuth 2.0 JWT Bearer Flow.