JWT promises stateless authentication and delivers neither. It's a cargo cult that makes your app slower, less secure, and harder to maintain — and almost every developer shipping it has no idea why.
Yeah, I was reading this and thinking "they have a point, if they refer to talking about a personal project. They might have a point in some place where a simple auth and session cookies are enough.
Go into a company infrastructure that has a multitude of different systems (first and third party) and also some identity management system and SSO - now we’re closer to the use case of a JWT. There’s a saying “never roll your own crypto” - that somewhat applies to auth as well. There’s so much that can (and will) go wrong.
They do have a point about token revocation (or the additional round trip for that), but… I’m the scenario above, why would you issue tokens that are valid longer than a day or a few hours??
Dumb post written by dumb people.
Cannot even understand the tradeoffs between public verified auth tokens and opaque tokens.
Thinks Redis works for all usecases and scales, free of cost.
Yeah, I was reading this and thinking "they have a point, if they refer to talking about a personal project. They might have a point in some place where a simple auth and session cookies are enough.
Go into a company infrastructure that has a multitude of different systems (first and third party) and also some identity management system and SSO - now we’re closer to the use case of a JWT. There’s a saying “never roll your own crypto” - that somewhat applies to auth as well. There’s so much that can (and will) go wrong.
They do have a point about token revocation (or the additional round trip for that), but… I’m the scenario above, why would you issue tokens that are valid longer than a day or a few hours??