I'm not sure how best to describe this but I have seen times when I called a secured
endpoint (secured with spring security adapter) but a token was not passed and I was able
to gain access. The first time I went to a secured endpoint I had to log into keycloak to
authenticate, but then on each request, only a session id was passed and no JWT. Is this
the standard behavior? If there is no JWT, where are the claims read from?
Matt