OK, here is what I'd do...

With your app open in the browser (in debug-run from the DF Studio), but before you attempt to log in to the service, right-click somewhere on the browser page and from the pop-up menu select "Inspect" (in Chrome) or "Inspect Element (Q)" (in Firefox), then in the window that opens up go to the "Sources" tab (in Chrome) or the "Debugger" tab (in Firefox). In the left-hand pane of that, navigate to the oOAuth2.js file.

Set a breakpoint (click the line number) just after the "url = " line:
Code:
        var pollTimer = window.setInterval(function() {
            
            try {
            
                if (win.document.URL.indexOf(obj.wpsRedirectUrl) != -1) {
                    window.clearInterval(pollTimer);
                    url         = win.document.URL;  
                    win.close();  // <-- set the breakpoint here
(About line 81 or 82 in my version.)

Then go through your login procedure (click the button or whatever) and perform the login - you should then hit the breakpoint in the browser's debugger.

Look at what is in that url variable (hovering over it will generally show you, but find it in the Scopes pane of the browser's debugger which might make it easier you to copy it's content). Then paste that into a text editor for examination:

It will be something like this example from Google:
Code:
"http://localhost/GoogleAPI181/MSCallback.html?code=AQABAAIAAAAm-06blBE1TpVMil8KPQ411ocdZfH2nYgskb3A3XX52FN_LvA9tti9oLBSAEvuOD2KcjnWt4G1hoHXIqem8lVikMUnPlTKZKmqCHF_HwijWnkgBvDPyyNAa2ZcYYhkI9ohtYB6wn2kebwtEJ6sOGd1N8nrBzpz5MVEWHimwbWctQEJnOr56ckMfh_X8OSqjgclyUeeCyM5UbOOG2dSlcNKg335mCFF37QenNfG_gWd_HA-dWndwL0hr7R1TOznRlDrtmM6xtRC4x2gWGFrPL4_p0vKasW05vyriXwYW_kAoTAXUQYk7G8dqXpsmv1REz-8bSkxGiYVKln9vFTZR-OTfUSX69od9jJym7zxaQ3UkSanzcMatSo7ovGZTQ2-YUHu9qFMIAJTpKqEPIrR1zVpnj-Mqn97vFjstf4_kvnQyDmnJCppEFZBqUbIV4FA7ydg-EyOnKFHGfiawmmESj7VX6GYPWnPV1-G1uTVF3Rtv4PXtA5SYl_zRX5H-55j238wEO_wJ6Sz9M_rUUqtNcx1fLrVnQG_emPwyWhBykadcADZd4qPgwavPDn6HMJO8phkUFDP3wWd12IO2K-DpCDUIAA&state=1w42JUXSFcPhrzdJaV9Dvqhvv1lYt6c54p5y&session_state=b3b9afcf-d9ef-4a5f-9891-d25db5003526"
Then break that down in the text editor so you can see all the parts clearly (I have annotated this one a bit):
Code:
http:                                    <--Protocol
//localhost                              <--Host
/GoogleAPI181/MSCallback.html            <--Path
?code=AQABAAIAAAAm-06blBE1TpVMil8KPQ411ocdZfH2nYgskb3A3XX52FN_LvA9tti9oLBSAEvuOD2KcjnWt4G1hoHXIqem8lVikMUnPlTKZKmqCHF_HwijWnkgBvDPyyNAa2ZcYYhkI9ohtYB6wn2kebwtEJ6sOGd1N8nrBzpz5MVEWHimwbWctQEJnOr56ckMfh_X8OSqjgclyUeeCyM5UbOOG2dSlcNKg335mCFF37QenNfG_gWd_HA-dWndwL0hr7R1TOznRlDrtmM6xtRC4x2gWGFrPL4_p0vKasW05vyriXwYW_kAoTAXUQYk7G8dqXpsmv1REz-8bSkxGiYVKln9vFTZR-OTfUSX69od9jJym7zxaQ3UkSanzcMatSo7ovGZTQ2-YUHu9qFMIAJTpKqEPIrR1zVpnj-Mqn97vFjstf4_kvnQyDmnJCppEFZBqUbIV4FA7ydg-EyOnKFHGfiawmmESj7VX6GYPWnPV1-G1uTVF3Rtv4PXtA5SYl_zRX5H-55j238wEO_wJ6Sz9M_rUUqtNcx1fLrVnQG_emPwyWhBykadcADZd4qPgwavPDn6HMJO8phkUFDP3wWd12IO2K-DpCDUIAA     <--Code
&state=1w42JUXSFcPhrzdJaV9Dvqhvv1lYt6c54p5y                  <--State
&session_state=b3b9afcf-d9ef-4a5f-9891-d25db5003526          <--Session State
So the long one in there is (or should be) the code.

Back in the browser's debugger, step on through until you have stepped over the line:
Code:
                    code        = obj.queryValue(url, obj.wpsAuthCdName);
This is what should get passed back into the DataFlex in the web property wpsAuthCode - check that it is (in the DataFlex debugger).

If you get that far, get back to me here.

Mike