You can store tokens securely in HttpOnly cookies.
https://medium.com/@sadnub/simple-and-secure-api-authentication-for-spas-e46bcea592ad
If you worry about long-living Refresh Token. You can skip storing it and not use it at all. Just keep Access Token in memory and do silent sign-in when Access Token expires.
Don’t use
Implicitflow because it’s obsolete.
The most secure way of authentication for SPA is Authorization Code with PKCE.
In general, it’s better to use existing libraries based on oidc-client than building something on your own.