For a PoC, the OAuth2 authorization code grant use case, needed to be stubbed out. Whilst this can be done over Curl, I decided to build this out in NodeJS to replicate a client application more closely.
The OAuth2 authorization code grant is fully explained here - http://docs.forgerock.org/en/openam/11.0.0/admin-guide/index/chap-oauth2.html#oauth2-authz
Basically there is a decoupling between the resource owner, the requesting client and the authorization server.
My basic client, first of all authenticates the end user to get an OpenAM session token. That token is used to generate an authorization code, which is in turn used by the client to request access and refresh tokens and ultimately the attribute scopes for the user.
The code is available on Github - https://github.com/smof/node_openam_oauth2_client