Using ASP.NET ID via WEB API for Local Login

I want to use an ASP.NET ID for a project that is configured using MVC5 in the front with a physically separated Business Logic server. The BL server is the only one that has direct access to the database server.

To fix this, I thought I could go one of two ways:

• Use an ASP.NET identity from the front end, but use a custom IUser * Store to make calls to the web API instead of directly accessing the database. The web API will run on the BL server and implement data access (EF).
• Use ASP.NET ID from BL via WEB API, but it serves DTOs (really, only the models to be passed to views). The MVC layer will just call the Web API with the data from the ViewModels, and then the Web API will return the models to be passed to the views (the MVC layer really just becomes pass-through). I can use a DTO which is slightly different from the ViewModel, then just create an MVC layer of the ViewModel but it won't change the general point.

I thought maybe the first option was cleaner, but how can I use claims authorization for this web API? I want to be able to pass some token to him? Who is generating it and how can I get the web API to work with it (i.e. pull the access_token from the header and create a ClaimsPrincipal)?

I have a second option: it doesn't have a direct login, it just has token support, so I don't know if I can still manage the login state in the same way or if I should do it this way (I need full access to common user controls such as password change, two-factor, locked accounts, etc.).

Any advice on the right approach would be helpful.