Let's say the ADF web app is protected by IAM, a user logins through external custom interface, then redirected back to the ADF home. How does ADF in this case authenticate against ECM/BPM REST API without using username and password?
JS-API uses basic auth to get the tokens for ACS and APS, and then uses tokens for subsequent calls. If you use external interface you still need a token to talk to ACS and APS. Both "ecmAuth" and "bpmAuth" from JS-API feature a method called "setTicket" that allows assigning a ticket from the outside: alfresco-js-api/ecmAuth.js at master · Alfresco/alfresco-js-api · GitHub
Hope that helps.
JS-API just triggers public APS/ACS api, you can refer to the following links for more details on the api: