Question 1: Store Roles in Keycloak (Identity Broker) or in the OIDC provider (Microsoft)?

Question 2: Seperate JWKS endpoints for different clients (e.g. mobile, web) for a Realm?