For external PRCustom authentication a password not required. If you look at the AuthService record on the Custom tab there is a drop down for "Source of Operator Credentials". When that is set to "Use externally stored credentials" and the operator record has "Use external Authentication" set then the operator records password is not checked.
At some point you will have to create the operator record in PRPC. This could be done outside of authentication or during the users first authentication attempt. Your login activity can dynamically create the user record as PRCustom authentication you return a page of Data-Admin-Opertator-ID and the engine layer will either add the record or update the record. You don't even issue a save in the authentication activity.
Part of your authentication will also have to verify if the email address provided has access to the system. You might have secruity setup before PRPC can even be called like Siteminder, WebSEAL etc.
I have something similar I use for testing. I will update this thread later today with some screen shots.