I actually implemented something similar today. It is much simpler than I thought. We needed to allow authentication with restapi and check provided credentials against content in Plone.
The @login endpoint of plone.restapi asks all pas-plugins (IAuthenticationPlugin) if the provided login and password are ok. Our custom PAS-Plugin (PortKnoxAuthenticationPlugin) does that check in authenticateCredentials and if the check succeeds it returns (login, login). With this info PAS auto-creates a ploneuser instance and returns that it to the @login-endpoint of plone.restapi.
The endpoint then delegates creation of a token to its own pas-plugin JWTAuthenticationPlugin which also stores the token.
The next request can then use that token and you become the same Plone-user as long as the token is valid. Our own plugin is then only used for listing and finding users (enumerateUsers) which is used suprisigly often (e.g. in api.user.get_roles())