1. Everyone, I beg you to stop saying “JWT token” which is the equivalent of saying “JSON web token token”.
2. Any argument to store session info in a database or cache, cannot be considered for true microservices.
- That is unless you want to rely on inter-service communication across an asynchronous queue (or bad practice, REST) to notify all services to insert/update/delete session info - which creates the inherent problem of potentially incorrect session data based on when the operation was processed. Whereas a JWT can be verified by any service, anywhere.
3. The argument that one could be used for XSS and CSRF is a bit off.
- You can’t modify the content of the token without invalidating it.
- Sites utilizing the JWT should take note of an audience “aud” and “Nonce” (“azp” if using AAD).
- Anything an XSS attacker could do with a JWT they could do with a session based scheme (they have JavaScript access as the user)
- etc etc etc