Thanks for your quick and extensive answer! Its good to know that we are on the right track.
Regarding your points on doing all the heavy lifting on the server side.
In the long run we want to provide SDKs for all our apis which take care of maintaining access tokens, so we don’t want to leave it as this.
But as a start we will do it as described then.