Thanks for the insight! If anyone cares to provide any clue about best practices and how to handle token storage, you are more than welcomed to provide any insight.
I've been looking at this for months without getting a clear, noncontroversial answer.
Even with this documentation, it is still unclear what to do if you have a SPA on another host than your backend (so you can't use cookies), and you do not want to use server sessions.
Using `oidc-client` from the frontend could work, but that bundle size[0] is absolutely insane.
Gives various suggestions depending on your use case.