where to store - access token and refresh token in OAuth 2.0

Question

I am new to OAuth 2.0 and I wish to know what is the best practice / location to store access token and refresh token in generic e-commerce web site.

Question 1:

Answer 1

A1: access token has a much shorter time-to-live than refresh token, you may store refresh token in local storage or even other secure storage on server side; for access token, both web storage and local storage are fine; storing access token in cookie does not make much sense

A2: yes, hence refresh token should not be stored on client side;

A3: stored it on server/service side