Sorry so late.
I wrote a hook into the users and permissions providers process. A function that is called just after the provider hands access token details back to the plugin.
It grabs this, the users email and username registered with the provider and stores it in an extended version of the user collection in strapi.
It works very well because I can now query the user and get all tge info necessary to carry out provider specific operations.
I then create my own JWT token that contains the username, and some other info like the users cart (I’m making an ecommerce app).
The payload is AES encrypted and then stored on the users browser as a http only cookie.
To retrieve the data in this cookie, the frontend calls a modified /users/me that first verifies that the token is valid against what is stored in my strapi db, before sending the decrypted data to the frontend app.
This is probably (definitely) overkill especially because I’m not exposing user’s provider acess token details to the frontend and because I’m using http only cookies, but I wanted to test this could work as a POC.