...
The following is the recommended approach:
Store refresh token in one of the following methods:
Serverside (best option)
In a cookie. Make sure to set HTTP-Only=true to prevent misuse.
Store access token and id token using one of the following methods where design allows:
Serverside (best option)
Local Storage (2nd best option)
Session Storage (be careful because these are cleared when tabs close)
...