To generate access (bearer) tokens from our external providers' API's and use them in our local web applications.
Access tokens are short lived, so even if you return an access token from the external OAuth AS during authentication (which you could probably achieve in the passport-js person authentication interception script), you may need the refresh token to get a new access token when you call the API. So the login process by itself is not going to solve your requirement.
The Gluu introspection interception script might help--this gets called when the client requests an access token (i.e. it is called before the token is minted. However, as a backchannel stateless call, how would you determine which refresh token to use to get an access token from the backend OAuth AS? It's possible if you can send session info in the request, but it's tricky.
Net-net, I would try to configure your internal web applications to accept the access tokens from the Gluu Server. This will give you the most flexibility.
I'm closing this ticket because it's a little outside the scope of community support. But feel free to comment further here.