As mentioned in the OAuth2 documentation, the OAuth2 standard is individually extensible. One reason for an individual extension of the standard could be, for example, the implementation of a new grant type for multi factor authentication. Actually the api-tools-oauth2 package is not extensible for that case.
The Controller\AuthController class, for example, implements private functions, that make it impossible to extend from the controller. Getting the OAuth2 Server instance should be protected at least to implement new controller actions for challenges, etc. Another big deal was replacing the OAuth2 server factory. For example the Factory\NamedOAuth2ServerFactory from the api-tools-mvc-auth package. These factories implement the standard OAuth2 grant types. Any other grant type, that was defined in the config, is ignored. I think all this could be made much more dynamic and less static.
Actually I don 't see the reason, why private methods are used. Is there a particular reason for that? Why are the server factories limited to the standard OAuth2 grant types and ignore the config?
Before writing an issue on GitHub I wanted to ask for your opinion on this topic.