Server REST endpoints already support OAuth2 based authorization. In addition, OPENDJ-7858 is a proposal to support SASL-OAuth2 over LDAP. In both cases DS acts as an OAuth2 resource server and is responsible for validating OAuth2 bearer tokens, for which it uses an external OAuth2 authorization server's token introspection endpoint. Token introspection increases latency due to extra network round-trips, complexity due to caching and availability of the token introspection endpoint, and usually isn't necessary for OAuth2 JWT tokens.
This issue can be closed once DS supports local validation of OAuth2 JWT bearer tokens. The validation mechanism should not need to contact an external authorization service. Instead it should decrypt and verify the JWT using any secrets shared with the authorization service. It is assumed that the required secrets will have been distributed and made available via commons secrets. In other words, completion of this issue requires integration with commons secrets.