Say we have SPA, OAuth service(Google or FB or Linked in) and an App server(our API) which servers the SPA to client.

Our SPA authenticates from client side with OAuth against 3rd party, say google or linked or FB, the method to use is said to be " implicit flow". Which returns the access token by passing an extra step. Now how do we use this access token to communicate with our API. They are decoupled.

At this point client app(SPA) has the token and the FB|GOOGLE|LINKEDIN user_id which we got from the 3rd party OAuth.

Now lets say we are making a GET request to our server and it has to be an authenticated request. How do we use this token that we got from the OAuth

1) Do we make an API call from SPA to our APP server(our api server) with that token we got from OAuth and we remake the another call to the OAuth service again from the APP Server this time with the same token and make sure it is a valid token and create a JWT from that token and use jwt for the following api calls.

2) Or we implement a standard server side OAuth implementation using FB|GOOGLE|LINKEDIN and after authentication we save that access token on server side for that user and serve the SPA to client and pass that access token we got from OAuth server to client. Now that token can be used for following calls to API calls.

3) Or we implement a standard server side OAuth implementation using FB|GOOGLE|LINKEDIN and after authentication we save that access token on server side for that user and serve the SPA but this time create a JWT and serve that to client and client can now use the JWT for following calls.

I do not know what the right way is. Or if it is even a good way to Authenticate using OAuth with SPAs since Implicit Grant apparently is not a good way to go.