...
Option number 3 was chosen as it seems to have the fewest drawbacks while satisfying the requirements.
A small spike with some proof-of-concept code was done in the Auth and Reference Data Services to see how it could be implemented for different scenarios. (This code can be found in the feature/OLMIS-1456-service-level-rights branches of the two repositories.) It was found that the main OAuth client credentials used to generate access tokens could be used to generate only service-level access tokens once the password grant_type is removed. Then, an additional OAuth client with its own credentials was created to generate user-based access tokens.
...