My answer assumes you are using Discourse as your identity provider (with its login/signup UIs), and wants to keep it that way.
On the Discourse side, enabling it is as simple as
However, you mentioned you’re building a plugin.
If you build “a path on the server” in a new controller action in a Discourse plugin, you can get the user from the session, call 3rd parties and return the JWT to your client.