Who is supposed to create and store the encryption password? Is it generated by the server (service provider) or the app (client)? Or is it the user's (resource owner's) password?

It seems that the encryption password is supposed to be generated and stored by the server (service provider) and kept secret. The encryption password is not shared with the app (client) or the user (resource owner).