user claims != oauth2 scopes
If user claims are sufficient, then this could be a good strategy.
In order to troubleshoot, you'll have to include the log information from oxauth and ldap as to what happens. Also, make sure you read the [Ubuntu howto on mod_auth_openidc](https://gluu.org/docs/integrate/ubuntu-installation/) or [Centos howto on mod_auth_openidc]([Ubuntu howto on mod_auth_openidc](https://gluu.org/docs/integrate/centos-installation/))