Most APIs built with light-4j or protected by http-sidecar or light-gateway deal with two types of OAuth 2.0 tokens: Client Credentials or Authorization Code.
To verify the client credentials token, the JwtVerifyHandler should be enough to verify the token signature, expiration and endpoint scope against the specification.
However, when we deal with the authorization code token, we might need to do a little bit more than the normal JWT token verification as the authorization code token contains the user-related claims, for example, userId, roles, AD groups etc.
To enforce the authorization at the role level or user level, we need to leverage the fine-grained authorization AccessControlHandler in light-rest-4j.
Here is a tutorial that shows how to use the AccessControlHandler and Rule Engine to authorize user access based on the Action Directory groups in the JWT token claims.