You should be able to create a new class in whatever database you're doing this in, no parent class needed.
Within that class define a ValidateUser class method as above. It should check their credentials and confirm a user exists. If you're using the Caché users table you can use the example above, otherwise you'll need to open the relevant person class and pull the relevant fields from there. Then set the claims that you want to send back to the client based on which scopes you're using. You can set claims with:

Do properties.SetClaimValue("name",tUser.Name)

You can check scopes with something like:

scope.IsDefined("openid") 
 

Then in the portal under System Admin -> Security -> OAuth2 -> Server. Go to the Customization tab and change the Validate User Class to your new class name. That will make the OAuth processing look there for a ValidateUser method and call it.

HTH,

Orion

This looks great Dan. For anyone interested, I put together an example of using OAuth2 in AngularJS in the Widgets Direct demo app here:
https://github.com/intersystems/widgets-direct

It shows sending the requests and getting the access code back, but I haven't included validating that on the server side. If there is interest I can look at adding that.

Thanks for the suggestions. I ultimately set it up to have a fallback mode which allows bypassing the captcha. Eventually I'll choose another service if necessary, but for now it just ignores the captcha and I'll track to see if we get much spam.