Extra security on claim REST API

Hi all,
We noticed that even if for a user task we put CandidateGroup=‘Role1’ the /claim REST API return success if called with a user ‘abc’ that does not exist or it exists but is not part of the group 'Role1. We would like to add extra verification when claiming to checj that the user exists and if candidateGroups are specified for the task the user belongs to at least one of that groups. Can this be achieve using a taskListener for the assignment event? Or how would this be implemented properly?

We are not exposing the Process Engine outside our network and another backend application (exposed to the Internet) calls Camunda REST API. I think another alternative would be to implement this check in this backend application before sending the claim request to Camunda REST API.

Please advise.

Best regards,
Paul Palacean