This is a good overview, but I have yet to hear a compelling reason to use JWT.
String session tokens generated by a CSPRNG and stored in a cookie work fine for every use-case I can think of. What specifically is the argument for JWTs?
We have single SPA as front for multiple backend apps (I wouldn't call them micro services - each is responsible for pretty big part of the business and maintained by separate team). There's single identity provider responsible for token generation, sign in, refreshing the token every few minutes.
It's easier to have for eg. userId embedded inside signed token. Nobody has to call identity provider, they don't even care from where did the tokens came from.
Our threat model for this software doesn't care too much if token is valid for some seconds after logout. At this point user was probably MITMed or lost control over hardware and has much bigger issues than us.
Could we do this differently? Probably yes. Would there be a positive impact for the company if we dedicated time to this? Very doubtful.
JWT is only a tool. Sometimes it fits, sometimes not. No reason to get religious over this.
String session tokens generated by a CSPRNG and stored in a cookie work fine for every use-case I can think of. What specifically is the argument for JWTs?