Eh, disagree. For space, you can use ellipic curve instead of RSA to halve the size of your token.
Sticky sessions are really hard or impossible on public clouds where you can't load balance by ip/port hash. And still hard when you consider that mobile devices hop on and off wifi constantly. One of the worst, shittiest third parties we use has IP based sticky sessions and it's utterly broken because we run 3 instances in different AZ's for HA.
"Users block all local storage" doesn't matter if you're doing something modern with React or Angular. The JWT is stored in JS.
"Implementations are not battle tested or don't exist". This is absolutely not true. Only morons use bare JWT. OIDC or OAUTH2 are the way to go. And these libraries will handle random things like token refresh for you too.
JWT IS more secure, because tokens are unforgeable. This protects you against a ton of attacks. And not using cookies adds even more protection.
Lack of token revocation isn't true either. You can use a Bloom filter with a secondary db lookup for blacklisted tokens with miniscule extra load.
IMO this article is just outdated. Before OIDC and a bunch of libraries and tons of mobiles switching IP's and multiple AZ for HA and elliptic curve support, most of this was true.
Giving us, again and again, the same complaint received by every client since using react: refresh drops you to the login screen. It makes 'non computer' people extremely angry. So yeah, still have to store it in the browser.
And we are not alone: most companies that actually have clients that used to have this fixed it by now: don't break fundamental browser buttons, any of them.
That was a bit edgey, but I have seen far too many devs recreate OIDC using JWT. Writing their own token parsing and validation. Doing their own token expiration handling.
These days, just use OIDC. It takes care of everything for you. Most of the time, you just point your OIDC library at your auth server URL and it handles everything.
Sticky sessions are really hard or impossible on public clouds where you can't load balance by ip/port hash. And still hard when you consider that mobile devices hop on and off wifi constantly. One of the worst, shittiest third parties we use has IP based sticky sessions and it's utterly broken because we run 3 instances in different AZ's for HA.
"Users block all local storage" doesn't matter if you're doing something modern with React or Angular. The JWT is stored in JS.
"Implementations are not battle tested or don't exist". This is absolutely not true. Only morons use bare JWT. OIDC or OAUTH2 are the way to go. And these libraries will handle random things like token refresh for you too.
JWT IS more secure, because tokens are unforgeable. This protects you against a ton of attacks. And not using cookies adds even more protection.
Lack of token revocation isn't true either. You can use a Bloom filter with a secondary db lookup for blacklisted tokens with miniscule extra load.
IMO this article is just outdated. Before OIDC and a bunch of libraries and tons of mobiles switching IP's and multiple AZ for HA and elliptic curve support, most of this was true.