Question: Should the remix strategy example documentation be updated to avoid returning the tokens in the verify function? Here's the line of code I'm referring to: https://github.com/sergiodxa/web-oidc/blob/main/README.md?plain=1#L110

This stems from a higher level question I have about where is the best place to store an access token when authenticating with remix? I know this might be a bit of a "depends on your situation" kind of question, but after looking into a lot of the different remix-auth strategies to determine how they generally store the access token for usage, I can't quite figure it out.

Isn't it more secure, and better practice, to avoid returning the tokens in the verify function of the strategy so that the tokens don't get sent to the browser? Wouldn't it be better to set them in the remix session, instead, and generally only use the access token via the cookie on the remix server?

Sorry, this isn't really an issue with this library per-se, I just can't quite find an answer to how we should store and access access tokens securely in Remix.

Thanks for any advice/suggestions!