@Ron Osmo:The next section will cover writing policy handlers. Hopefully it will address your questions, but yes, it's basically code that returns Succeed. Or nothing. Or fail. The video will make it clearer.
If you need something more configurable wait for RC2 when you can write your own policy provider, you get the policy name and return a policy configured as you want, so that would support client configuration.
As for claims and 3rd party auth, it depends on the 3rd party. The vast majority will, but you're dipping into authentication at this point. Facebook has a concept of scopes, but once you have logged in you would get an access token back which you can use to walk their graph API to get more details. Of course the user can simply refuse to grant you those permissions, they are in control. Google and Azure AD act in much the same way. If you had an identity service provider which fire fighters logged in through it may in turn give you their certifications and roles as claims.
As for mobile apps, well, not really. How it tends to work is the mobile app does an authentication dance, and then gets a bearer token, which you send with every request. Or the mobile app goes through your web site, which then prompts the oauth dance, your web site gets the tokens and identity back, and then your web site gives your mobile app an identity token, which you marry up on the back end to the identity returned from the oauth login.