There seems to be a consensus about using the OpenId Implicit Flow for SPA(s) although there are some security concerns, does using HTTPS mitigate that risk or it's safer to go with another flow type? e.g. Authorization or Hybrid flow.
i think the risk is higher if you use Authorization or hybrid flow for SPA, for Hybrid and authorization code you have to keep a secret code that is shared between identity provider and clients which is very risky in case of SPA. because it is a refresh token that can be used to get new tokens if stolen
you know refresh token live longer that access_token, so it's better to provide an access token (implicit flow) with 1 hour for expiration rather than giving a refresh token that lives longer and can be used get new token