I am trying to set the OAuth 2.0 flow for server to server communication. I am able to do the steps outlined here https://medium.com/tech-learnings/how-to-manage-the-protected-aem-resources-through-oauth-2-0-851ce4... up until the point of getting the token back form AEM. Using the token on the next request always gives a 404 response.
I have tested the manual flow to authorize the user and the JWT method as well with the same results. User is part of administrators group (just while I'm testing) so permissions are good and the scope has all permissions for /content/dam.
Update on this: I can see the registered client correctly on AEM, I can also see the tokens granted, with the custom scope I created, containing jcr:all permissions for /content/dam. When I try to access anything in the JCR response is 404, and when I try servlets response is correct.
This points to me ACLs are the problem with Resource Resolver but user has access to those paths and scope does too.
I found out what the problem was. All of the setup was correct except one thing briefly mentioned in the article. All privileges are applied through the system user: oauthservice.
This user is in charge of applying the privileges for the custom scopes. I set permissions for /content/dam for that user and everything else worked.