OAuth2 and email authorization for REST API backend

Question

Overview

I am building a RESTful API application as mobile\web backend (let's call it MyBackendApp) and I'm looking for a contemporary solution for both Authentication AND Authorization of app users. Primary language for backend is Java. Looking at other apps, many of them offer several auth methods to user: using external to app account (e.g. Facebook, Google, Yahoo, OpenId etc.) or internal (email\password). Something like Stackoverflow has on its sign-up\sign-in. I read many sources about OAuth2, I also used to use Spring Security to implement internal user accounts and session management. But I'm having hard time putting both methods together.

Requirements

1. I want user to be logged in using either of following methods
   
   • with external (possibly OAuth2) Facebook-like account
   • using email\password
     
2. Role Based Access Control to the API methods. The MyBackendApp will have following roles: app admin, content admin, content user, content creator, developer (for other apps to use MyBackendApp API)
   
3. Like all modern mobile apps I want user stayed logged in until expiration or session revocation (if to go as described below in Current implementation thoughts, then it can be done with token revocation). And I don't want him to get to login screen everytime he opens up MyApp's mobile app

Current implementation thoughts

OAuth2

For simplicity I use here Facebook term, but assuming more general meaning: the authentication with external to MyBackendApp account from any external Provider.
My understanding is that if user already have authToken from Facebook (he has already logged in with his Facebook app) stored somewhere in his mobile device, then just get the authToken (I believe I saw method in Android SDK, please correct me if I'm wrong). Otherwise, need to go through the standard OAuth procedure to receive the authToken from the provider (Facebook).
Now, having the authToken and secret key from the provider MyBackendApp can retrieve a user unique ID AND email from the token and:

• if the uniqueId is already in MyBackendApp DB, then user is authenticated and MyBackendApp allow or don't allow access to a requested REST endpoint, based on users (defined by its uniqueId and email) Role.
• if uniqueId is not in the MyBackendApp DB, then user is going through MyBackendApp registration process, which is similar to Stackoverflow sign-up. His info gets stored in the DB user gets assigned some role

email\password auth

Sign-Up. If user is not registered, then he goes through registration process: MyBackendApp stores email and hash of password in DB. It also assigns a Role (lets say Content Creator)
Sign-In. If user is registered and want to log in

1. he enters email and password in a client app (WebUI JavaScript\Android\iOS)
2. client app (lets call it MyClientApp) gets hash out of password (please correct me if it's not a right way) and POST it along with email to MyBackendApp over https. Edit: there is no sense to hash the password on client side. Rather than that the password will be sent as is over SSL. After that Server (MyBackendApp) will generate a hash and compare it with stored hash in DB.
3. having email and password MyBackendApp authentifies the user and issue authToken (possibly JWT) with userUniqueId (UUID), some expiration date.
4. the authToken is to be sent on every REST API request
5. Next time MyBackendApp receives request to some of REST endpoints it retrieves the userUniqueId, expirationDate and based on Role allow\disallow the call.

Summary

1. Does the approach described in the "implementation thoughts" section above make sense? Any security threats?
2. Some posts says that OAuth cannot be used for user authentication, e.g. here, but I didn't get why? And if not then how to provide users login using facebook\google\others account?
   
3. I definitely don't want to reinvent a bicycle, so I'm wondering is there any framework which make this task easier? I believe that Spring Security with its OAuth2 support can help a lot for implementation of OAuth2. But how does it work for both types of login (OAuth2+email\password)?
4. This post suggests [Apache Shiro] - is it good for the described purposes? Can it be combined with Spring Security OAuth2?
5. I wrote above that having the authToken and secret key from the provider MyBackendApp can retrieve a user unique ID AND email - but is it the case? Do providers include this information in the authToken?
6. If user of mobile device or web browser has already got the authToken (e.g. he logged in in facebook mobile app OR desktop browser stored his password) and he's already allowed MyApp in Facebook once - can he open my app being already logged in with his facebook account skipping the login procedure? How?