Notes from Microservices: Security course on LinkedIn Learning.
- ID token should only be used for User ID on the Client and never on the API. To obtain user information, the API should query the /userinfo endpoint of the identity provider using the provided access token.
- Always include expiration dates in tokens.
- Do not set realm-public-key to enable Keycloak download it automatically whenever it is needed, and prevent breaking of the library when Keycloak automatically retates its keys.