[keycloak-user] Securing Web Apps with Sessions and KeyCloak?

Hello KeyCloak users, I spent tons of time trying to find an example of using KeyCloak to secure an https-cookie-based session id for managing user sessions, but I can't find it. I found examples which demonstrate using the OID redirect flow from an AngularJS app to get tokens, but I'm concerned about the security of storing this token in JS-land in a browser. I suspect a malicious script could grab it and impersonate the user. Also, I don't know of any websites I use which use this flow, but I'm new to managing user accounts so it could be invisible to me. I was thinking I'd like to send have a form which sends the user's id and secret to my server, then turn it into session id to keep on an https cookie. Or perhaps this is "the old way" of doing auth? Anyway, is my concerns unwarranted? Is common practice now to simply treat my browser app as an OID client and pass a user token when requesting data from the server? Thanks for KeyCloak! I love how easy it is to deploy it as containers! I was originally planning to use Gluu, but they have a pretty crappy story for deploying as containers. Also, the KeyCloak docs and examples are simply more relate-able! Nice work on those! - Alex