Is it possible to verify the requesting user for a REST transaction secured by JWT at a later date?
I have a React (Javascript) single-page application that authenticates users via username/password/MFA to Keycloak, receives a signed JWT upon successful authentication, and then uses that JWT to call stateless/session-less REST services.
With this setup, or with additional "moving parts" to be added to the overall system, is there a way to at a later date to assert that a certain user identity was responsible for a transaction? Assume that we are able to store any/all data that is in-context (i.e., is part of the REST call for the transaction) at the time the transaction is requested.
Thanks to @alnbhclyn for their thoughts below. I think I need to clarify -- the key gap above seems to be the link between a JWT and the specific contents of a transaction. Is there a means of "signing" the transaction with the JWT or some part thereof such that a positive link between the two can be made at any point in the future?
