The user navigates to SPA, which redirects the user to IdP to sign in.
User signs in (and authorizes the application, if needed).
IdP returns the user to SPA with Authorization Code.
JavaScript code in SPA sends the Authorization Code to a login endpoint on the REST API Server.
The REST API Server sends a request to the IdP Server containing the Authorization Code (and usually also a Client ID and Client Secret, which identify the REST API Server to the IdP server).
The IdP validates the Authorization Code and sends the Access Token and ID Token to the REST API Server.
The REST API Server stores the Access Token and ID Token in its memory and send its own Session Token back to the SPA.
For every request the SPA makes to the REST API Server, it includes the Session Token which the REST API Server gave it. If the REST API Server needs to request resources from another server, it uses the stored Access Token to make that request.
The user navigates to SPA, which redirects the user to IdP to sign in.
User signs in (and authorizes the application, if needed).
IdP returns the user to SPA with Access Token and ID Token.
JavaScript code in SPA stores the Access Token and ID Token in the browser's localStorage and sends the Access Token to the REST API server for every request it makes (usually as an Authorization: Bearer <access token> header).
If needed, REST API Server checks the validity of the Access Token by talking to the IdP. (Often, signing the token in the IdP and verifying that signature will be enough, and no communication is actually necessary.)
NOTE: As of April 2019, the OAuth Working Group no longer recommends the use of Implicit Flow for most cases because there are better, more secure ways to accomplish the same things.