Usually backend makes sense when you have a traditional web-app, so your back-end will detect unauthenticated user and will redirect a browser to a login page. User will authN to Okta and Okta will return the browser to a backend callback API with an authorization code. Your backend will take it and exchange it for a token with Okta directly through an API call to /token endpoint