Post-auth Social IDP Account Linking

Hi community!

I need help solving for my use case which complex. Any help would me much appreciated.

I will use Auth0 terminology below to describe my use case:

Application Tenant: we will avoid using this term as much as possible to avoid confusion, but
where necessary it will refer to a tenant in your application as opposed to the Auth0 Tenant.
Instead of using this term, we will use “Organization” or “Organization Instance.”
Auth0 Tenant (Authorization Server): the Auth0 tenant that you create in Auth0. It is your
Authorization Server and represents a user domain.
Employee: a person who is part of your company. They likely have an account in your Identity
Provider (IdP). They may need admin access to organization instances. NOTE: your customers
may have users who are also employees, but we will refer to those as Organization Users as we
don’t know if they are employees or not. We will only refer to Employees of your company.
Identity Provider (IdP): a service that manages authentication of users and optionally user
profile information and credentials for an organization, company or group; or the service may
delegate the credential validation and profile management to another IdP. Example IdPs are:
your Auth0 tenant, your Azure AD instance, Google, Facebook, etc.
4 auth0-tfg-00020 version 1.0.1
Organization: a company that is a customer of yours. If you refer to organization instances of
your applications as tenants, we will refer to them as organizations to avoid confusing the term
with the Auth0 tenant. This is a replacement for the term Application Tenant to avoid confusion.
Organization User: the person who is logging into the application as a member of one of your
organizations.

Use case follows below. Points 1, 2, and 3 are here for context - Point 4 is what I need help with:

  1. I want to allow my Organization users - who are business users as FunnelGuard is a B2B company - to sign up with Google, Facebook, or email/password. During sign up, they would also create an Organization account - which they could later invite other Organization users to join.

  2. Any Organization user will also be join multiple Organizations given that they are invited to join multiple Organizations, or create multiple Organizations.

  3. I want to allow any of my Organization users within a given Organization to grant FunnelGuard access to Google Ads and/or Facebook Ads data. Google Ads, for example, offers an Oauth2 service to allow request/consent/access to Google Ads data on behalf of Google Ads users: https://developers.google.com/adwords/api/docs/guides/authentication#webapp. I have read https://auth0.com/docs/connections/adding-scopes-for-an-external-idp and understand that I can add extra scopes to any external idp connection request.

4. Organization users can sign up first and grant access to Google Ads/Facebook Ads later after authenticating, no matter HOW the user signed up (i.e. Organization user signs up with email/password, two days later the user comes back and I now want to request the user to grant FunnelGuard access to Google Ads on their behalf.),

Auth0. How do I best solve for #4?

Understanding that

a.) both Google and Facebook are Social IDPs, and that they make their Ad network data available though specific Oauth2 scope

and

b.) I can add such scopes as described in https://auth0.com/docs/connections/adding-scopes-for-an-external-idp#2-pass-scopes-to-authorize-endpoint

and

c.) I am planning to use the New Universal Login Auth0

Do I simply pass the scope to the authorize endpoint and send my Org user who is already authenticated there to now link their social IDP and/or grant the scope? Would Auth0 handle automatic account/profile linking that way? And will this work with New Universal Login or should I use some other UI solution?

Thanks in advance!