Eh. JWTs are super handy if you have a single web experience spread across multiple backend apps on the same domain, with a single SSO server to set up the user auth. Definitely not for storing anything sensitive, but treating it like a fancy session cookie with the minimal amount one needs to securely access resources - customerId or whatever - makes life a lot easier than trying to wire up cookie / session management across a lot of different, disparate apps.
How that is possible, when every web framework has a package for handling sessions, and in a secure manner. Rolling everything on your own is time consuming and error prone. I know you should not use library for everything, but this is solved problem for a long long time (like crypto), and just using of the shelf solution is right choice to me. You can set the session to be across multiple subdomains and it will work out of the box.
Eveything else can use plain tokens stored in the DB
Yeah... but you can't just move a session across a heterogeneous set of servers with different backends, etc... Maybe some of your APIs are on one platform, the apps themselves on another. There are several libs that can help you do that.
JWT is not a solution for that, any regular token fixes this problem. If you need something like that you can build an auth server, and everybody talks to auth server. I've built these kinds of systems, they are complex and working on them is not fun, you have to be really careful not to mess things up and if I have to worry about JWT as well, this is one more problem in a distributed system that if I can avoid, I would gladly.
TBH, I've not found use case for JWTs, maybe I'm not experienced enough and if it's there, there must be a use case for it. But I've found that there are simpler authentication schemes you can do, and I try to do them instead of implementing JWT.
What are you talking about? Good frameworks have support for using guards on endpoints. Typically you add an annotation to the handler and that's it - and your system is then going to be much more secure than most alternative approaches, because the simple one-line guard ensures that only users who are authorized to access a specific resource can access it.
You just haven't understood what JWTs are good for. See my other comment in this thread.
I guess it doesn't signal anything. Luxury is about signaling, and an expensive phone doesn't signal anything.
What does signalling mean? Signalling means two things. The first order effect is the impact it has on your mind. When a person sees an expensive watch you might think "oh this person must be so important". The second order effect is the impact that knowing the impact it will have on other people's mind, will have on your mind. When a person sees an expensive watch they think "oh other people will think this person is so important". Interestingly in some circles the second order effect actually becomes first order (stronger). Personally I don't even notice watches but if I did I would think "oh, this will have an effect on other people".
Anyway, an expensive phone doesn't signal anything.
And if you wear an expensive watch but the rest doesn't fit, people assumes its a fake, like when you meet someone wearing a 12k$ Rolex buying cheap soap in a dollar general store.
