openam-v13/openam-oauth2/OAuth2Setup.txt

	OAuth2Setup.txt revision f58c87ece2202b8f85310d8885c7e39a7f435c09
1. Click Access Control->Top Level Realm. Click Services. Add an OAuth2 Provider service.
	a. The token life times can be whatever you want. I suggest something reasonable 60 seconds or so.
	b. Issue refresh tokens wont effect the working in anyway except for you will or wont get a refresh token.
2. Click Policies. Add a new policy.
	a. Name can be whatever
	b. Add a New rule
		i. Click URL Policy Agent.
		ii. Click Next.
		iii. Name can be whatever.
		iv. Resource name should be the location of the authorization end point. EX http://jason.internal.forgerock.com:8080/openam/oauth2/authorize*
		v. Click both POST and GET and ALLOW both.
		vi. Click finish.
	c. Add a new Subject.
		i. Select Authenticated User.
		ii. Click next.
		iii. Name can be whatever.
		iv. exclusive can be left unchecked.
		v. Click finish.
	d. Click OK.
3. Click Agents->OAuth2.0 Client
 	a. Add a new agent
	b. Click the new agent
	c. Fill in the new agents settings using the help text as a guide.
	d. Click save.

OAuth2Demo setup:

1. Put war file in webapps directory.
2. Edit the WEB-INF/lib/classes/AMConfig.properties file.
	a. Change all the URLs to your domain name and tomcat port.
	b. Set the client_id and client_secret to the agent you created in OpenAM.
	c. The rest of it should work because it uses the demo user to login, which is in OpenAM by default.
3. Open <hostname>:<port>/oauth2demo in your web browser.
4. Authentication flow and implicit flow currently work in the demo. I will fix the others ASAP.

The others do work if you do them manually in OpenAM.
For example, Resource Owner Password flow you would do a POST to http://jason.internal.forgerock.com:18080/openam-server/oauth2/access_token with the parameters:
grant_type=password
username=demo
password=changeit
client_id=<client created in OpenAM>
client_secret=<client secret created in OpenAM>

Alternatively client_id and client_secret can be omitted from the POST and instead used to do HTTP basic auth.

All of the parameters for each endpoint for each flow is given in the OAuth2 specifications.
http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-4