How to authenticate to an API using an external identity provider?

I have the following setup on the same machine:

• WSO2-AM
• WSO2-IM-KM (Identity manager as key manager)

The identity manager federates authentication to an external OpenID identity provider.

What I've done so far:

• Share the databases between the two components
• Make WSO2-AM delegate the authentication to WSO2-IM-KM
• Configure the external provider to the generated service provider (generated in WSO2-IM-KM when creating an application in WSO2-AM store)

The current behavior:

• I can obtain an authorization code by calling the following URL : https://my.site:9444/oauth2/authorize?response_type=code&client_id=pkYcC4xFQ1jt6dQbdZAe6savv4oa&scope=phone+email+address+openid+profile&redirect_uri=https://my.site:9443/store/jagg/jaggery_oidc_acs.jag&nonce=3734e7d4c22f1&state=128d20e14c884, the authentication succeeds, then the jaggery_oidc_acs.jag endpoint fails
• Since the jaggery_oidc_acs.jag endpoint fails, I manually retrieve the code then POST it to https://my.site:8243/token which returns me an access_token, a refresh_token, and an id_token

My problems :

• How am I supposed to automate the manual step I described before? Am I in charge of creating a dedicated endpoint to do it, in order to keep the authorization_code obfuscated from the client, or is there a built-in endpoint in WSO2? If appropriate, what is this endpoint?
• Is there an endpoint that generates the oauth2/authorize URL?

After further research:

I have found the following document https://docs.wso2.com/display/IS540/Authorization+Code+Grant that seems to indicate that I need a "client", but I don't have one, I just need my API to be authenticated with the external identity provider.