It's a good idea to offer MFA even with SSO via OAuth (or any other method). Security-conscious users will enable it, the rest won't. If your goal is to protect users from themselves by mandating MFA before accessing your app's highly-sensitive accounts, I can't recommend allowing SSO with third-party services at all. If your goal is get users to use MFA somewhere, either in your app or the SSO provider... well, you can't enforce that except by requiring MFA locally (which might be obnoxious to users who now have to perform MFA multiple times, but does improve security for users who don't protect their SSO account) but you can strongly encourage it (perhaps by making it opt-out rather than opt-in, with the opt-out button saying "my OAuth account uses MFA already" and not offering opt-out at all to people who use non-OAuth accounts).