> Also you wouldn't need the auth code flow unless you were planning on impersonating the user or use their data in the back channel
True. But in this case, you would only use the tokens to identify the user and then throw them away. After identifying the user, you would use your own session management solution to take proper control of it. Just like how google, fb, youtube etc etc do for their own website.