Login in App via Moodle credentials and LTI - Provider or consumer?

I have a simple question that I can't solve with the resources about moodle and LTI.

I want my users to login into their App with moodle credentials (as often done with e.g. "login via facebook") - is my app the consumer or the provider?

I first thought the app is the provider but some points make me question that:

1. No, I do not want to start the app from within moodle.
2. No, I also do not want to embedd my app content in moodle.
3. I just want the users registered in moodle login to an app with their moodle username and password

All content I found on LTI provider assumed the opposite of point 1 and 2.

However, I also found that moodle can be a provider itself. It has been shown to be embedded in an external application. But in my understanding, the consumer is responsible for authenticating the login (which is opposite to point 3).

Am I missing something, that makes it so hard to see the soution here?

I found Atomic Jolt's try_oauth repo will do exact what you want. It also has an excellent code along video which explains the workflow really well.

You navigate to the app and it opens up a Canvas authentication page and grabs the users credentials.

https://github.com/atomicjolt/try_oauth

Hope that help.s