Validating keycloak bearer token on behalf of client
Figured it out: I was calling Keycloak at different urls, localhost:8080 from postman and host.docker.internal:8080 from the api running in Docker. Turns out you have to call Keycloak at same URL from both ends. I switched to using my machines' ip in both cases and voila!