I think if you just follow Use Discourse as an identity provider (SSO, DiscourseConnect) or Setup DiscourseConnect - Official Single-Sign-On for Discourse (sso) then everything is encrypted between the server and client.
If you don’t want discourse to know the email actual email addresses, things will be harder.