Thank you for posting your question. I think you are on the right track. I’m leaving a few links so you can better understand the topic.
The SPA interacts with the authorization server to get the ID, access, and refresh tokens. Then, the SPA uses the ID token to get data about the user, the access token to call an API, and the refresh token to get a new access token once it expires.