Hi,


I'm trying to get a better understanding of the communication between Keycloak and spring security client applications.  If I'm understanding the authentication/authorization flow, it would be something like:


1. User (or client application) login to application

2. Spring security redirects to Keycloak

3. Keycloak verifies user and creates a JWT

4. Redirects user with JWT back to application

5. Verifies JWT

6. Sends response to client


For step #5, verification: Does spring security verify the JWT locally, or is the token sent back to Keycloak for verification?  I'm wondering how much "chatter" there is between Spring security and Keycloak for every request.


If a user already has a non-expired JWT, does it just do steps 5-6 until it expires?  Once it expires, it requests a new JWT from Keycloak? 


Thanks,

Matt