Hi @dieseldjango,
The architecture you describe seems to have some unclear points.
First, as explained in the article, formally the token ID is intended for the SPA client and should not be sent to the backend.
Second, it is not clear to me if you are implementing the token exchange in your backend (i.e., your backend issues the token for the the external API) or if the backend is connecting to a second authorization server to exchange the access token.
In the first case, if your backend implements token exchange, it is not clear to me why. It seems that your backend acts as an authorization server for another API (“To do this securely I need to verify the user has a valid token from the expected issuer to the expected client, and to identify the user.”)
In the second case, as far as I know about token exchange, the entity requesting the token exchange should be the entity receiving the token. From your message it seems that the backend receives the token that will be provided to the SPA client, which doesn’t seem to be in accordance with the specification (“I need to take those tokens and on my backend exchange them for an access token generated for the client to access another API.”)
In this second case, I think you should implement the Backend For Frontend pattern to let your backend handle all the tokens.