Thanks Chris, let me clarify please. There's no need to know the customer passwords :) We basically just need a customer login API.
Our app would POST to this API with customer email and password in clear, and the API would say either
1. valid, here's the customer id
2. invalid
The customer API already allows creating customer accounts with passwords (i.e. people signing up in 3rd party apps). Just the login is missing to make the story complete.