Angular

How to understand where authentication takes place in a solution from several asp web api + angularjs projects?

I recently started maintaining a large web project that was not written by me.
The project consists of several subprojects, each of which runs on its own server: AuthApi, WebApi, Web, Reports - see the screenshot below. All projects are web api 2 and Web is mvc application which returns angularjs spa.

I can't figure out how authentication works.
Searching the project did not find any references to AuthApi within the WebApi project, however, only authenticated requests are allowed. Moreover, authentication is required when requesting the Web, and when requesting WebApi controllers. In WebApi, I also did not find any mention of AuthApi. However, it somehow works...
AuthApi uses OAuthAuthorization and ApplicationUserProvider, after setting breakpoints there and debugging, I was able to figure out how it works. But the methods that looked are called only when the user logs in. When the page is refreshed, everything works somewhere inside, I assume that all the information is saved in the session and gets it automatically.
Another weird thing is that each of WebApi and AuthApi does the app.UseOAuthBearerAuthentication setting. Moreover, in AuthApi it is many times more sophisticated.
A bug forced me to go deeper, during the solution of which it turned out that inside the WebApi controllers - ICurrentUser.User == null . I have a hunch that this is due to the fact that CurrentUser only exists within AuthApi
I want to somehow find where authentication is checked, and see where CurrentUser comes from. And then try, if necessary, somehow using autofac in WebApi to set up receiving ICurrentUser from the AuthApi context.
PS. Knowledge is sorely lacking; very, very much different material on this topic, which I have already read, became clearer in my head, but the problem has not yet been solved. Perhaps any piece of information will help you find which way to dig.