cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
iluom
Contributor II

Can we use single JWT token for multiple requests?

Hello All,

 

Can we use single JWT token for multiple requests?

 

there is a system where JWT tokens can be created without invalidating the other,  they self-expire after 30 min.

 

So I can get a JWT once, and then make a bunch of requests within 30 min, and if you continue making requests with the same JWT after 30 min, you’ll get unauthorized.

 

A single access token with multiple audiences for the same API

 

same token is being used for multiple requests.

 

Is it a good practice ?

Chandra Mouli, CISSP, CCSP, CSSLP
3 Replies
CraginS
Defender I

Well, I admit total ignorance on "JWT token," so a quick web search led me to 

Introduction to JSON Web Tokens

 

I suspect a few others on the forum may find that page helpful, too.

 

Oh, and having read that page... darn good question, Mouli @iluom !

 

Craig

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
AlecTrevelyan
Community Champion

Let me try and answer this from an almost newly minted CSSLP's (pending endorsement) perspective.

 

The principle of complete mediation would say no. However, the principle of psychological acceptability might say yes. It really depends on what the token allows you to do and the risks those actions carry.

 

Does it allow:

 

  1. Users to launch nuclear missiles
  2. Users to access their credit card information they have saved in an account profile
  3. Users to post messages on a cat pictures blog

You'd probably not want to reuse any tokens if they give you authorisation to launch nuclear missiles you'd want this to require authentication each and every time.

 

You might decide you can relax the authentication requirements a little for access to credit card information so it authenticates the first time but then can reuse the token a few times before requiring re-authentication and set a shorter timeout than the default 30 mins.

 

While you might even choose to extend the 30 mins timeout if some harsh comments about your cat pictures is the worst you will face.

 

Also, it depends what protections you have in place concerning other security aspects of your system. If the rest of the security is not up to scratch (commensurate with the system's criticality) then token reuse might be the least of your worries.

 

CookieMonster
Newcomer I

If using for identification such as OAUTh or SAML I don't see why reusing it would be an issue. In fact this is what it is about, SSO. The key is that the process support integrity of the identification. If so, it should be used frequently and often
Life is short... Eat more Cookies!
Brian Hildebrandt CPA, CISSP