I have added bearer token authentication on an API for a client. In the access token that's sent to the API, the issuer is this: http://[some-domain.com]/adfs/services/trust
.
Is the identity provider configured incorrectly or in an unsafe way when this URL is on HTTP, and not HTTPS? Or is this simple just a string, not used to make requests, and thus it doesn't matter if it says HTTP?