If I understand the oauth2 spec correctly I should be able to add custom content like an user_id to the oauth2 access token. The server can then decode the access-token and add an User Domain Object to the SecurityContextHolder.
(Of course I could add the user_id to every REST API method but this would mean a lot of refactoring)
Right now from reading the manual I think that I need to implement or extend a TokenEnhancer. Since I am using a javascript client maybe I should extend JwtAccessTokenConverter? Am I on the right path here?