My conclusion is that hacking oauth is going to be almost impossible without some help from @emmanuel
Which is a real shame as it really isn’t all that much of a hack. We can use the implicit flow to do the token exchange as @brentsum says. And I have successfully pulled back a JWT which contains the correct access token for google access, but because it is in the URL parameter I can’t decode it with running some code. That was using auth0.com in an attempt to do the heavy lifting.
Maybe using oauth.io would work ?
Not sure if my usecase is the same as the above, but I am not trying to subvert the Bubble auth system, I am just trying to as a user to provide a syndicated logon that will retireive a token to allow we access to their data. This is “link my Google Calendar” style. Or Facebook. Linkedin. etc etc.
Maybe it is my technical naivete, but it doesn’t seem all THAT complicated to be able perform these API calls to get what is essentially a text string. You can pass things in URL parameters.