docs: access check config docs rework

docs/explanation/security.md

@@ -66,6 +66,7 @@ Strong passwords are critical to prevent unauthorized access.
 authd uses libpwquality to enforce password complexity requirements. See the
 [Configure password quality](ref::config-pwquality) section for details.
 
+(ref::force-auth-security)=
 #### Force provider authentication
 
 If the identity provider is reachable during login, authd verifies that the user

docs/howto/configure-authd.md

@@ -244,25 +244,32 @@ client_secret = <CLIENT_SECRET>
 :::::
 
 (ref::config-force-provider-auth)=
-## Force remote authentication with the identity provider
+## Force remote access check with the identity provider
 
 By default, remote authentication with the identity provider only happens if
 there is a working internet connection and the provider is reachable during
 login.
 
-If you want to force remote authentication, even when the provider is
-unreachable, enable it as follows:
+To ensure that user access permissions are always checked with the identity
+provider during login, even when the provider is unreachable, enable the check
+as follows:
 
 ```ini
 [oidc]
 ...
 force_access_check_with_provider = true
 ```
 
+This check works by forcing a token refresh during login, which fails if the
+user does not have the necessary permissions in the identity provider.
+
 ```{warning}
-In some cases, this may prevent login, such as when there are network issues.
+In some cases, forcing the access check may prevent login, such as when there are network issues.
 ```
 
+Additional information on the forced access check is provided in the [security
+overview](ref::force-auth-security).
+
 (ref::config-extra-scopes)=
 
 ## Configure extra scopes