Configuration support to use the same JWT as the client assertion token at application level in private-key-jwt

[mpmadhavig]

Problem

Private key jwt is a client assertion mechanism available for confidential client applications. In this mechanism, the jwt is generated using a json payload (which includes information about the client application and token metadata) and the generated private key of the client. As mentioned in the spec, a generated jwt can only be used once, unless agreed to allow the reuse of the token[1]. Identity Server has given this capability of reusing the private key jwt via an organization wide config. As this is an organization wide config all applications registered under the organization are bound to this config.

Improvement

Depending on the level of security an application need, the reusability of the token should be able to adjusted at application level. Therefore we need to introduce an application level configuration to allow reuse of private key jwt.