Can we use single JWT token for multiple requests?
there is a system where JWT tokens can be created without invalidating the other, they self-expire after 30 min.
So I can get a JWT once, and then make a bunch of requests within 30 min, and if you continue making requests with the same JWT after 30 min, you’ll get unauthorized.
A single access token with multiple audiences for the same API
same token is being used for multiple requests.
Is it a good practice ?
Well, I admit total ignorance on "JWT token," so a quick web search led me to
I suspect a few others on the forum may find that page helpful, too.
Oh, and having read that page... darn good question, Mouli @iluom !
Let me try and answer this from an almost newly minted CSSLP's (pending endorsement) perspective.
The principle of complete mediation would say no. However, the principle of psychological acceptability might say yes. It really depends on what the token allows you to do and the risks those actions carry.
Does it allow:
You'd probably not want to reuse any tokens if they give you authorisation to launch nuclear missiles you'd want this to require authentication each and every time.
You might decide you can relax the authentication requirements a little for access to credit card information so it authenticates the first time but then can reuse the token a few times before requiring re-authentication and set a shorter timeout than the default 30 mins.
While you might even choose to extend the 30 mins timeout if some harsh comments about your cat pictures is the worst you will face.
Also, it depends what protections you have in place concerning other security aspects of your system. If the rest of the security is not up to scratch (commensurate with the system's criticality) then token reuse might be the least of your worries.