I think this section of Tableau Product Help on how Tableau and Open ID connect work together will explain this information. In short the request would be sent to the IdP for authentication when the Tableau Server user requests a resource.
More detailed info here: OpenID Connect
Let me know if you have any additional questions or if I misunderstood the question!
Hope this helps!
Thank you for the reply. I have reviewed that page you linked a few times already and it seems to only cover the initial authentication and authorization process.
My question was more specifically around how things work after the user has been authenticated with Tableau Server through the IdP. When calls are made to Tableau Server post-authentication, I would expect that Tableau would send some sort of validation call to confirm that the access token it receives (which would have been generated by the IdP during the authentication process by the /token API endpoint) is valid and not expired. From my research into the OpenID Connect specification and the Authorization Code flow, it is not super clear about how that should be done but there are generally 2 options, either by having Tableau server send a call to some sort of validation endpoint on the IdP (often called /introspect) every time it receives a request to determine if the code is still valid before performing the request's actions, or by the access token being self contained (meaning it has been issued by the IdP to exist for a set period of time that cannot be revoked by the IdP through a logout call). So, I am trying to determine which of these options Tableau uses if that makes sense?
Any input into this and what this potential /introspect call might look like coming from Tableau would be super helpful. Thanks again!