We do something similar except we use an existing OAuth flow and simply add custom attributes to the authorization token. That authorization token is then sent along with requests to various services and these attributes are picked out and then used to apply policies or output filtering as appropriate.

As a suggestion I would look to name the properties of your current token in such a way where they could be compatible with the embedded case.