Qt

What is the easiest way to implement user authentication on an authorized client?

Good afternoon community!
There is the following task: to implement user authentication on an authorized client (native desktop and browsers).
Back in the project consists of three parts:
- SPA_Node (for users using the browser, gives the "front", Node.js),
- API_Node (all business logic on REST, Node.js),
- Ory Hydra OpenID Provider (for OAuth2 ).
The original task is divided into the following subtasks: it is
necessary to implement
1. authentication by tls-certificates of two types of clients: Win Desktop app (C++/Qt) and browser. In the case of a native application, authentication is performed at launch using the [cert, key] pair known to each client and the ca certificate, in the case of a browser, when SPA calls the API. Each physical connection point has its own [cert, key] pair.
2. authorization of both types of clients for access to the service API.
3. user authentication via OAuth2 on an authorized client. This part is implemented via Passport.js (passport-oauth2 strategy). In production, users must authenticate through the ESIA. For authentication on API_NODE, a function is implemented (GET /auth/{provider}), behind which passport.js and session cookies are hidden.
4. user authorization to resources on API Node.
Actually, the question is how to organize and implement this task correctly / easier / faster - simultaneous "double" authorization of the user and the client he uses to access API_NODE resources?