You can create a Claim to define your user type (internal, facebook, etc). Then create a custom Authorize attribute to make the authorization decision.
Look at this, this and this links for some background info.
Code sample for custom Authorize attribute. HttpActionContext parameter lets you see what controller and action you called. It also lets you inspect the Claims collection for your user. Step through the code for the different login scenarios, you'll have different claims. Then you can decide whether your Controller.Action is authorized for a particular claim value.
protected override bool IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext)
{
ActionName = actionContext.ActionDescriptor.ActionName,
ControllerName = actionContext.ControllerContext.ControllerDescriptor.ControllerName,
Claims = (actionContext.RequestContext.Principal.Identity as ClaimsIdentity).Claims.ToList()
}