Currently when being redirected to a new server, the client just replays the last thing that was sent to the previous server to authenticate. If that was an email/password then it works fine, but if it was a single use token or 2FA challenge then it would fail.
Since the user is authenticated before we decide to redirect them, we can create a special token they can use to authenticate on the new server. That way we don't have to worry about how they authenticated previously. We can also lock it down a bit by making the token single use and time limited.
It's pretty straightforward in the end, on the first server we create a random token, and insert it into the database with the userId. We send that token back to the client, and they submit it to the new server. On the new server we can then check for the token in the database to validate it, and see what userId is authenticating.