OAuth/OIDC flows are perfect for this, no need to reinvent the wheel and OIDC support in libraries/frameworks is pretty solid these days. Which makes integrating this in apps quiet easy I suppose if you can expose OIDC compliant "nsec bunker" endpoints.