The intent with demo mode is to set up OA4MP with a minimal but usable system for evaluation. This is done by setting the service tag attribute of demoModeEnabled to true. You will need to make sure that Tomcat is set up correctly for this.
Normally OA4MP needs to have some authorization mechanism, such as replacing the authorize endpoint completely (e.g. CILogon) or perhaps enabling Tomcat's native logins to operate. Many organizations as of this writing have been using X509 certificates for years and are interesting in migrating to JWT signed tokens, which OA4MP handles with aplomb. But this is potentially a very large structural change to an organization and needs to be evaluated and tested.
The problem for a quick demo then is finding all the users (and there may be many, many in an organization) that want to test this. Signing them up may be a daunting task. Enabling demo mode, however, allows an admin to set policies for the tokens and lets users use both authorization code flow and device code flow. The user will be prompted for user name and password, but the password is ignored and the entire purpose of the username is to set the subject for any tokens issued.
The effect of configuring this (as per below) will be that the standard authorization code flow works as expected, and the device code flow will too except that the user must go to the webpage and type in the user code (rather than use the link that has it embedded.)
Again it should be stressed that this demo mode is not for production, but mostly to let administrators easily set up a system and have many testers use the system to see how information flows in it. For production, options are then to either enable Tomcat's authorization or simply replace OA4MP's entire authorization module either with your own or with the CILogon proxy.
Tomcat is configured as if this were a standalone OA4MP install but without configuring the remote user machinery. You need to comment out any password protection for the web pages and instead simply require transport of SSL as follows
<security-constraint>
<web-resource-collection>
<web-resource-name>portalSecurity</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The demoModeEnabled attribute in the server tag must be set to true.