@strappinandgo, thanks for the info.
I am in the exact situation. can you please elaborate a bit on how did you manage to solve it?
I can see the ctx.state.user… but where and how exactly should I get/store refresh_token /accsess_token of the provider (Microsoft in my case) in order to interact on behalf of the user who grants permissions?