JWT was invented for OAuth2 and make super sense if you want to separate authorization and authentication from your app. E.g if you have several apps and want single sign on between them.
For authorization code flow (one "kind" of OAuth2), the tokens are only exchanged between the app and the OAuth2 server. Session cookies are used in the browser.
For a single-process app, I agree, it makes little sense with JWT. For a micro service architecture where there are many processes and you don't want them blindly trusting each other, JWT is übercool.
And then you can choose the perspective you want to get the conclusion you desire:
For a single developer or 5: Microservices are overbloated and not worth the effort.
For 100+ developers developing different web applications where you want a seamless user-experience with single-sign-on between them, and that need to be able to release independently and have an otherwise-healthy architecture: Microservices do have their valid use-cases.
Where do you find that "JWT was invented for OAuth2"? JWT (RFC7519) was created significantly later than OAuth2 (RFC6749). However, OAuth2.0 Tokens (RFC8693) accommodates JWT & other tokens.
JWT is part of the JOSE suite of JSON security. If JWT was created for anything, it would be OpenID Connect (akin to OpenID 2.0)
BTW this article skips the usefulness of JWT for native app development. as well as server-server communications (as you infer with micro-services)
JWT was invented for OAuth2 and make super sense if you want to separate authorization and authentication from your app. E.g if you have several apps and want single sign on between them.
For authorization code flow (one "kind" of OAuth2), the tokens are only exchanged between the app and the OAuth2 server. Session cookies are used in the browser.
For a single-process app, I agree, it makes little sense with JWT. For a micro service architecture where there are many processes and you don't want them blindly trusting each other, JWT is übercool.
might do a "microservices: are they more trouble than they're worth?" follow up lol
Sure....
And then you can choose the perspective you want to get the conclusion you desire:
For a single developer or 5: Microservices are overbloated and not worth the effort.
For 100+ developers developing different web applications where you want a seamless user-experience with single-sign-on between them, and that need to be able to release independently and have an otherwise-healthy architecture: Microservices do have their valid use-cases.
Where do you find that "JWT was invented for OAuth2"? JWT (RFC7519) was created significantly later than OAuth2 (RFC6749). However, OAuth2.0 Tokens (RFC8693) accommodates JWT & other tokens.
JWT is part of the JOSE suite of JSON security. If JWT was created for anything, it would be OpenID Connect (akin to OpenID 2.0)
BTW this article skips the usefulness of JWT for native app development. as well as server-server communications (as you infer with micro-services)
Wups, probably my bad. Thanks for the correction.