...
Store refresh token in a cookie. Make sure to set HTTP-Only=true to prevent misuse.
Store access token and id token using one of the following methods where design allows:
Serverside (best option)
Local Storage (2nd best option)
Session Storage (be careful because these are cleared when tabs close)
...