This is my first time doing a full implementation of server side OAuth (as described here https://developers.google.com/identity/protocols/OAuth2WebServer) and I am getting a bit confused as to what to do with the tokens after receiving them from the auth provider. I can see a few options
Send it to the user for local storage and send it to the db. have the frontend send it in http headers on every request and compare it with the one in the db to authenticate.
Send it to the database and work out some other form of authentication through a jwt or cookie.
something else?
1 would be my preferred way, but something feels wrong about it...IDK what, while 2 feels a little wasteful because I will have to come up with an entirely different auth mechanism and then just pull the token from the db and refresh and use it as normal anyway...
What is an acceptable flow for this part of the application?