Typically, an OAuth Services client application makes REST calls to services deployed on remote servers. These calls, carrying an access token, need to be validated before the call can go through. Enforcing access control is accomplished by sending a previously obtained access token to a resource server defined in OAuth Services.
Exceptions to this are the native User Profile and Consent Management Services that are enforced by OAuth Services. The options for validation within the Oracle stack are Oracle API Gateway (OAG) and Oracle Web Services Manager. (An OAG filter validates the Oracle Access ManagementOAuth Services token before allowing access to the resource.) Custom code can also be written to provide access control.