This is a hard thread to answer because it exceeds authentication and is more about web development in general, and that is of course a topic that could go on forever and with no single solution but multiple possibilities.
If you are planning to have a backend, I would use cookie authentication and avoid sending any kind of tokens to the browser. Instead of returning static pages, you can use any templating engine (like Razor pages) to make use of that session cookie information.
Essentially:
- User requests a page
- If the cookie middleware detects no session, it handles that to the OIDC middleware that requests an authentication from Auth0.
- After the login is done, a cookie with the user session is set
- Now, in the server, you know the identity of the user and every request (be it for HTML content or API) will have access to the identity of the user.
Our quickstart at https://auth0.com/docs/quickstart/webapp/aspnet-core-3/01-login exemplifies that. It shows an MVC application, but instead of MVC you could be serving Razor pages with the same overall setup.