I am currently trying to create a web app using Ruby on Rails and Keycloak as my authentication server. I would like also to use it as authorisation server with app roles.
So I found that my best bet would be to use omniauth gem with Keycloak strategy but here is my question: I have to trust the roles within the tokens, so does omniauth already check the token signature or do I have to check it by myself?
Or did I misunderstood something about jwt and openID