> JWTs (...) can’t be revoked easily and may expose sensitive data if not encrypted.
This is not true.
Revoking a JWT is as simple as adding the JWT ID to a list of revoked JWTs. If a JWT is valid and its JWT ID is in the revoked list, the JWT is refoked. The tradeoff is that resource servers need to periodically refresh this list.
Also, a JWT only leaks sensitive data if you purposely want the JWT to ship sensitive data. Nothing forces you to do that.
> Opaque tokens (...) offer better security and revocation control but come with extra overhead and reduced scalability.
This is simply wrong. Any security and revocation check you can do with a opaque token, you can do with a JWT as well.
From the article:
> JWTs (...) can’t be revoked easily and may expose sensitive data if not encrypted.
This is not true.
Revoking a JWT is as simple as adding the JWT ID to a list of revoked JWTs. If a JWT is valid and its JWT ID is in the revoked list, the JWT is refoked. The tradeoff is that resource servers need to periodically refresh this list.
Also, a JWT only leaks sensitive data if you purposely want the JWT to ship sensitive data. Nothing forces you to do that.
> Opaque tokens (...) offer better security and revocation control but come with extra overhead and reduced scalability.
This is simply wrong. Any security and revocation check you can do with a opaque token, you can do with a JWT as well.
Overall the quality of the article is quite poor.