I think I'd like to get your thoughts on the end goal, and user facing functionality. What do you envision the end result to be? How will developers use it? Please include client side interactions as well.
Ideally, as a use-case. I'd like to have a demo similar to what I posted about AeroGear-7 New more advanced example called Denizen added to aerogear git where we can add in this security work to enable secure services, and pages.
I'd like the ability to have the application define its own users, and groups, and tie that in with the OAuth ideas above. Basically this would be a self contained user/group CRUD demo that would be a perfect platform to show the security features.