Authentication with Api

We are starting work on a Sitefinity CMS site and are having difficulty in conceptualising how the authentication will hang together.

The site will make extensive use of custom components that will call into our own (still in development) AspNet Web Api. This api currently supports OAuth 2.0 and acts as its own authorisation server – this enables a client to pass a user’s credentials to the api and receive an access token to be used in subsequent api requests. The api provides access to an existing production Sql Server database.

Now that we have started work on the Sitefinity CMS site it’s apparent that a set of users is maintained in the CMS database and the application uses OpenId Connect.

On registration, a CMS user will need to be associated with a user in the existing sql server database.

My questions are:
How can the Sitefinity client authenticate with the api?
How can Sitefinity users be authorised in the api?
There are plans to create mobile applications which will hit the api directly; Sitefintiy users will need to be authenticated in the api. How could this work?

Approaches I’ve considered include writing a custom membership provider to be used in the CMS that will point to a custom database that will hold user information. The api will use this database directly to authenticate.

Alternatively, either the api or the CMS could be the identity server that the other will authenticate against, but I’m not sure how to configure this – there doesn’t appear to be anything in the documentation that caters for this scenario.

Any help anyone can provide would be most welcome.

Thanks.