The "Configure OAuth2" wizard displays a list of available realms to create the OAuth2 provider.
However, if the chosen realm is not the top level realm, the wizard should at least not automatically create the URL policy (needed to access the /openam/oauth2/authorize?* endpoint) in the top level realm, without notice or making sure the administrator knows the implications and what he should do next.
Of course, other actions could be considered in such a case. For example,
- do nothing and just warn the administrator or refer him to the online doc
- automatically create both a referral policy and a subrealm URL policy
BTW, this is a concern for people that use the GUI only, for example in PoC's:
automated installations/configurations with configurator.jar/ssoadm should do the right thing by itself.