Access token generated by one application is working in another application User Info endpoint if we pass that access token to get the claims.
We are generating the access token with the token end point https://domain.com/affwebservices/CASSO/oidc/baymax/token (This is abc application token endpoint) and we are passing this access token (Generated by xyz application) to another application user info endpoint https://domain.com/affwebservices/CASSO/oidc/payments/userinfo (This is payments application user info endpoint) is giving the Claims of Payments application.
Is this expected behavior in CA siteminder ? Is there any settings to restrict it ?
Note: Same scenario happening in all the environments including production.
Release : 12.8
Component : SITEMINDER -POLICY SERVER
This is expected behavior. There are no settings to restrict it as of now.