I'm aware that once you issue an authorize call, the authorization server will redirect to the callback url that is provided with the auth code. Upon getting the auth code, who should execute the token call? Is it from the UI or from the backend? Please explain the logic behind this.
If backend, how can I follow redirects to the backend?
Have I mis-interpreted the OAuth concept all together? Anything is highly appreciated. Thank you.
The OAuth2 authorization code flow should be initialized at your backend. Your backend should also process the redirect from the authorization server (which contains an auth code). You probably need a client secret to access the token endpoint, you must keep it at the backend, because it's not possible to keep it safe in a browser.
You don't need to follow redirects. Redirects always cause some browser -> server (backend) call, because the browser handles a redirect be creating an HTTP request.
There are different OAuth2 flows designed for various use cases. Which one to use, it very much depends on how you want to use it and what your infrastructure looks like (you can formulate a new question when it gets more clear to you). If you want to learn more about OAuth2, I would suggest you to read its RFC. It's well written, easy to read and doesn't omit any important details. There is also an extension of the OAuth2 protocol called OpenID Connect designed more for authentication.