It kind of sounds like what you want to do is implement your own oauth provider?
Much like the diagram here:
It sounds like your custom mechanism would take the place of the “oAuth2 Directory”.
(It might be simpler using DiscourseConnect)
Of course, this all depends on how you’re already implementing authentication for the site…
On the other hand, doing that might be overcomplicating things — we do support staff-only custom fields that might be suitable here.