I've been looking at this for months without getting a clear, noncontroversial answer.
Even with this documentation, it is still unclear what to do if you have a SPA on another host than your backend (so you can't use cookies), and you do not want to use server sessions.
Using `oidc-client` from the frontend could work, but that bundle size[0] is absolutely insane.
[0]: https://bundlephobia.com/result?p=oidc-client@1.9.1