Check user "status" and "groups" belongig, and step-up if required.

Hello,I have this main need :
I would like to check each time a user open a link/page, to check if he is allowed to do so and if not, depending of a parameter, trigger a re-authentication.
I think I can achieve this thanks to the auto-actions regarding the trigger before accessing the page .
Now, I have my authentication method which is a javascript providing me at the end a JWT token.
I already did some test using the auto action " add to user group" , grabbing user groups provided as parameter in the JWT.
I tried to create a schema to summarize :
https://ibb.co/34pMzMP Schema
What do you recommand now, to have a proper and clean solution to mix these 3 things ?
Should I create a module and a plugin ( like here ? : docs.joomla.org/J3.x:Creating_an_Authentication_Plugin_for_Joomla/en ) only ?
Thanks for your advises and insights

I don't understand why you need to do this. Access permissions are always checked on access attempt. For example set a Joomla menu item to Author access while logged in as a Registered user. Now click the menu item and it will error you don't have access and they will no longer be able to see that menu item next time menu is output.

I need to check each time the user belonging to groups.
I have another "system" which change usergroups based on time / action etc....
ex scenario
john login -> he is assigned group level 5
after 5 sec , he tries to go to a page with required level 5 -> ok
user read the page , then goes somewhere else ...
the "automated system after 1 min" changes john to level 4.
John comes back to the page where level 5 is required.
-> a "step up" is required , so the authentication is trigered again for a level 5.
if ok, ...etc....
make sense?

Access is already checked dynamically like that. My guess is when you're assigning usergroups you are not doing so correctly with Joomla API which should update the appropriate session cache. If you assign usergroups with direct database queries the session cache won't be updated so Joomla won't see the usergroup change until next login or possibly just until next page load. CB Auto Actions can be used to safely assign new usergroups, but it has nothing to do with your access check needs nor should it be necessary for those.

My idea is indeed to use auto action . let me rephrase as it seems that I'm not clear. Let's go first with a basic scenario and then , we will add specific ones.
my user is john. he is a standard user , "registered". he authenticates and is now logged in
john can to any page allowed to registered.
Now, he tries to access to a page only allowed to "supergroup1".
What I would like is to trigger an authentication ( again ) , in order to get through this authentication the "assignement" to an additional group, which is "supergroup1". ( I'm putting aside here for now all the stuff regarding the authentication and how to get the group list )
as a global background, I get the info through a JWT token
am I more clear now ?
Thanks !

You want to assign a new usergroup when they fail to access a menu item that requires said new usergroup? If there's a Joomla event for that sure otherwise that's outside of CB so is not in CBs control. CB Auto Actions can act on Joomla events by prefixing them with joomla_ when configuring the triggers for an auto action so as long as Joomla has an event for that then sure it's probably doable.