Auth0 handles the authentication pipeline differently than Firebase when using external identity providers. Your application always sees Auth0 as the authorization server (the one that issues the access tokens and ID tokens) and, when using other identity providers, Auth0 acts as the client application requesting the authentication to the external provider.
So, with GitHub as an example, the access token issued by GitHub is meant to be used by Auth0 itself (to get information about the user), and is not issued directly to your application. We provide the token for internal processes (where the process was given explicit access to the management API to retrieve these tokens), but don’t return it directly to applications to avoid any possible misusage.
If you want a GH token directly in your app without a backend mediation, I would suggest that after the authorization stage takes place with Auth0 (for authentication and possibly a token for your own backend API) your application requests a token directly to GH (with the appropriate scopes that your application needs). If the user already used GH for authentication, there won’t be another authentication prompt. By getting the response directly from GH you also get information that will probably be useful to your app, like the token duration.