IMHO, if you have a relatively small number of policies, you can use the Gluu Server as the PDP. For example, you could express your policies in Python using the RPT interception script.
If you have dozens, hundreds, or thousands of policies, there are real advantages to storing policies in some kind of structured syntax, like XML or Rego. Also, keep in mind that Gluu, as the OAuth Authorization Server, mints tokens (handling signing, encryption and introspection of reference tokens). That's an important job in the modern API ecosystem, that has become too complicated for most PDP's.