You need to roll your own authorization, authentication is provided by the third party provider. Of course you need to check and verify that users authenticated correctly against the third party provider. I don’t have to tell you this as you do this for a living, but saving having to implement half of the oauth flow is a good thing, right?