...
* If necessary, integration with an OAuth Token Broker could be done through the authorization API -- the AuthZ api could, eg., perform a Grouper check to determine if a particular operation should be allowed, returning acceptance if Grouper returns acceptance, but performing a secondary check with the Token Broker for a user-to-user explicit access grant if a token is presented and Grouper denies the operation.
—Rob—