The arguments against JWTs always seem to boil down to them having too many sharp edges that are too easy to get wrong.
That is a good argument against things in isolation, but we're not working in isolation, we have classic old server-side sessions with cookies and session IDs and so on. Are JWTs better than those? Well... kinda?
Sessions are _hard_ to get right. Frameworks can do 80% of the work, but not everyone uses frameworks that handle them, and the last 20% is still hard. Then working in a multi-service environment that all gets much harder.
Could JWTs be improved? Maybe. Does that mean we should avoid them? Probably not, they solve a certain kind of problem better than the available alternatives, and rolling your own alternative is only one step away from rolling your own crypto.
Everything is a tool in a toolbox. JWTs are not a good replacement for sessions for a couple reasons -
* You can't have decentralized authentication AND invalidate a token.
* You have to have complicated client side logic (opposed to a cookie with a session id) to maintain your tokens. (Much of this is "solved" by using third party packages to handle it.)
To me, it's reinventing the wheel to use JWTs as long term mutable storage. JWTs are GREAT for short term authentication between decentralized systems.
I can use a screwdriver as a makeshift hammer, but should I?
That is a good argument against things in isolation, but we're not working in isolation, we have classic old server-side sessions with cookies and session IDs and so on. Are JWTs better than those? Well... kinda?
Sessions are _hard_ to get right. Frameworks can do 80% of the work, but not everyone uses frameworks that handle them, and the last 20% is still hard. Then working in a multi-service environment that all gets much harder.
Could JWTs be improved? Maybe. Does that mean we should avoid them? Probably not, they solve a certain kind of problem better than the available alternatives, and rolling your own alternative is only one step away from rolling your own crypto.