Testing Jwt Authentication without ASP.NET Core Identity 2.0
Login (Valid user)
Login (Invalid user)
Call Protected API ([Authorize])
Call Protected Admin API [Authorize(Roles = "Admin")]
obtaining new tokens using the refresh_token should happen only if the id_token has expired. it is a bad practice to call the endpoint to get a new token every time you do an API call.