I am new to OpenID Connect and keycloak.
I have two questions: Does my application have to verify with the openid connect provider (OP) - Keycloak in this case for every API call to my application? This may impose a lot of load on the OP. Alternatively, does my app have to rely on the expiry of the token that was obtained when the user first tried to connect to my application?
If my application (RP) relies on token expiry, how will revocation of an user at the OP will work? Does my application know about the revocation only after the expiry of the token or does the OP notify the registered application when the user is revoked?