you really should have an api encrypt call on the website the mobile app can call to encrypt the access token before passing on the url (unless its a webview in the desktop app).
it really pretty simple. the mobile app navigate the browser (or webview) to the website login via access token endpoint you create:
https://mysite.com/login?token=<the token>
in the code for the endpoint, you validate the access token. then create custom credentials based on the user and claims in the access token.