I am the author of dm.zope.saml2 which provides the SAML2 browser SSO profile for Plone, something similar to OAuth2. I know therefore, the principal problems and potential solutions, even though I am unfamiliar with your specific PAS plugin.
"pas" stands for "Pluggable Authentication Service". Its principal philosophy is the splitting of the authentication/authorization domain into a (rather extensive) set of small tasks which are each implemented by plugins. The plugins can be mixed quite flexibly.
OAuth2, like SAML2, essentially targets the authentication subtask; likely, it also provides some properties. In my view, you should not add additional features to those plugins but implement them in other plugins (e.g. a user property plugin to integrate membrane properties).
I would approach your current task as follows: OAuth2 users are recognized (=authenticated) in your portal, but they are not full members. In order to become full members, they must register to your portal. The corresponding process completes the profile for those members. After that, those users continue to be authenticated via OAuth2, but they now are full portal members and get a mix of the foreign properties and the local properties as their properties.