I have 2 app:
1 APP - main app (CMR) 2 APP - website
The main aim is connect to 2 APP from 1 APP using OAuth2;
1 APP is implemented FOSOAuthServerBundle, but not exist no one oauth2 clients.
The problem is that I can't generate oauth2 clients, because users know only username/password credentials.
In first step users submit login forms - then in some way I need from user credentials generate tokens.
Could I securely generate oauth2 clients with same id & secret as user username/password ?
The users doesn't need to know the client_id and client_secret. Actually is not safe at all for them to be known by anyone else, except the APP 2. The client credentials (client_id, client_secret) are generated in the auth server. Then the APP 2 devs get this client credentials and stores them somewhere where only the APP 2 has access to them (like the app 2 config files, or the app 2 db). After this is done, when a user wants to login, he only provides the username and password, app 2 wraps them in an API call to the token API of the auth server, with the grant type 'password' and wanted scopes.
But this only scratches the surface of auth2. If you add a third app to your network, and you want A2 and A3 to communicate securely using token generated by A1, then you will need a introspect API in A1, or even using signed JWT openId.
Long story short, FOSOAuthServerBundle is a good start but in the long run you will need to put in a lot of work. Here is some material to guide you.
Auth2 RFC: https://www.rfc-editor.org/rfc/rfc6749
Token introspect RFC: https://www.rfc-editor.org/rfc/rfc7662
sign JWT: https://jwt.io
Also look into openId, RBAC, ACL. This will also come in handy at some point.