simplified version of https://github.com/bshaffer/oauth2-server-demo

_MOST_SIMPLIFIED.php

<?php

include "public.php";

$request->query = array(
	'response_type' => 'code',
	'client_id' => 'demoapp',
	'redirect_uri' => '/'
);

$server->validateAuthorizeRequest($request);

$request->query = array(
	'response_type' => 'code',
	'client_id' => 'demoapp',
	'redirect_uri' => '/'
);

$code = $server->handleAuthorizeRequest($request, true)->getHttpHeader('Location');

// starting with /?code=
$code = substr($code, 7);

$request->query = array();

$request->request = array(
	'grant_type' => 'authorization_code',
	'code' => $code,
	'client_id' => 'demoapp',
	'client_secret' => 'demopass',
	'redirect_uri' => '/'
);

// need to be POST
$request->server['REQUEST_METHOD']='POST';

$response = $server->handleGrantRequest($request);

$response = str_replace("\r\n", "\n", $response);
$response = explode("\n\n", $response, 2)[1];

die($response);

_OAUTH2_SERVER_DEMO

--
-- Database Structure:
--

CREATE TABLE IF NOT EXISTS `oauth_access_tokens` (
  `access_token` text,
  `client_id` text,
  `user_id` text,
  `expires` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
  `scope` text
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE IF NOT EXISTS `oauth_authorization_codes` (
  `authorization_code` text,
  `client_id` text,
  `user_id` text,
  `redirect_uri` text,
  `expires` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
  `scope` text
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE IF NOT EXISTS `oauth_clients` (
  `client_id` text,
  `client_secret` text,
  `redirect_uri` text
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

INSERT INTO `oauth_clients` (`client_id`, `client_secret`, `redirect_uri`) VALUES
('demoapp', 'demopass', NULL);

CREATE TABLE IF NOT EXISTS `oauth_refresh_tokens` (
  `refresh_token` text,
  `client_id` text,
  `user_id` text,
  `expires` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
  `scope` text
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

access.php

<?php

include "public.php";

if (!$server->verifyAccessRequest($request)) {
	$server->getResponse()->send();
} else {
	echo json_encode(array('results' => 'OK'));
}

authorize.php

<?php

include "public.php";

if ($_SERVER['REQUEST_METHOD'] == "POST") {

	$authorized = (bool) $request->request['authorize'];
	$response = $server->handleAuthorizeRequest($request, $authorized);
	$location = $response->getHttpHeader('Location');
	header("Location: $location");

} else {

	if (!$server->validateAuthorizeRequest($request)) {
		return $server->getResponse();
	} else {
		?>
		<form action="authorize.php?<?php echo ($_SERVER['QUERY_STRING']); ?>" method="post">
		<input type="submit" class="button authorize" value="Yes, I Authorize This Request" />
		<input type="hidden" name="authorize" value="1" />
		</form>

		<form id="cancel" action="authorize.php?<?php echo ($_SERVER['QUERY_STRING']); ?>" method="post">
		<input type="submit" class="button authorize" value="Cancel" />
		<input type="hidden" name="authorize" value="0" />
		</form>
		<?php
	}

}
?>

authorized.php

<?php

include "public.php";

if (!isset($request->query['code']) || !$code = $request->query['code']) {
	die("denied");
}

$query = array(
	'grant_type' => 'authorization_code',
	'code'       => $code,
	'client_id'  => 'demoapp',
	'client_secret' => 'demopass',
	'redirect_uri'  => 'authorized.php',
);

$url = 'http://'.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']).'/grant.php';

$options = array('http' => array('method'  => 'POST',
		'content' => http_build_query($query)));
$context  = stream_context_create($options);
$response = @file_get_contents($url, false, $context);

$response = str_replace("\r\n", "\n", $response);
$response = explode("\n\n", $response, 2)[1];

if (!json_decode($response, true)) {
	exit($response);
}
$response = json_decode($response, true);

if (isset($response['access_token'])) {
	$token = $response['access_token'];
	echo '<a href="access.php?access_token='.$token.'">access</a>';
	die;
}

die('error=>'.$response['error_description']);

grant.php

<?php

include "public.php";

$response = $server->handleGrantRequest($request);

die($response);

index.php

<a href="authorize.php?response_type=code&client_id=demoapp&redirect_uri=<?php
		echo urlencode("authorized.php"); ?>">
	Authorize
</a>

public.php

<?php

require_once('oauth2-server-php/src/OAuth2/Autoloader.php');

OAuth2_Autoloader::register();

$storage = new OAuth2_Storage_Pdo(
	array('dsn' => "mysql:host=localhost;dbname=fortest;charset=UTF8",
			'username' => 'root',
			'password' => 'root')
);
$server = new OAuth2_Server($storage);

$server->addGrantType(new OAuth2_GrantType_AuthorizationCode($storage));

$request = OAuth2_Request::createFromGlobals();

Thx, very nice gist ;) helped me a lot to understand the oauth2 plugin.
but i think in grant.php its much nicer to do the die() with die($response->getResponseBody()); so you just get the json without the 200 Header.