The quickest way would be to use Gluu Gateway. The Gluu Server issues tokens (either UMA or OAuth) that use the scope or other JSON claims to specify permissions granted.
It's the responsibility of the Gateway to enforce access (based on the information in the token).
Also, UMA is used when you need to interact with the user, post authentication. If you have a binary decision to allow access, you can just use OAuth and OPA in the gateway.
see the gluu blog on Axiomatics for a partial overview. Also, see the Gluu Gateway docs on OpenID.
After that, we can schedule a call to review.
Thu-Fri is a holiday in the US.