Advise on JWT - Restrict certificate for specific user
We are implementing JWT authentication for integration with third party application,
But while implementing we found a risk as mention below --
1) Application1 share their certificate say CertA with Oracle and we uploaded it in Oracle.
Now using private key they can generate a token for any user ,let say userA which as salary access ,userB which has Absence detail access
2) Application2 share their certificate say CertB with Oracle ,let say they need userC for payroll access
We want Application1 should not have access to Payroll details, but problem is they can generate a token for any user and so it can be a breach.