Confused about the correct flow with our stack

Hi all,

I’m currently looking to integrate OAuth into our bespoke applications and I’m a bit confused about the correct way to attack it given our application architecture.

We are using an Angular 7 front end with a Dropwizard back end. This Dropwizard back end obviously has protected resources that Angular needs to access. I’m confused about what role the front end and back end plays when it comes to tokens.

After some research, these are my thoughts on the correct flow (please correct me if I’m wrong):

  1. Set up Angular as an SPA application with the Authorization Code grant type. Angular authenticates with Okta and recieves an authorization code.
  2. Angular sends this code up to Dropwizard (which is set up as a Web? application in Okta) and dropwizard hits an Okta endpoint via HTTP to exchange the authorization code for an id_token/access_token. We then create our backend user object from the claims etc.

Is this the correct way? What token should I give back to Angular so it can provide it on subsequent requests? How does the refresh_token fit into this? I want the session to be maintained whilst there is user activity on the session.

Thanks in advance.