Symmetric signing with public & private keys is not necessary for JWT. You can use a simple secret-based signing with an HMAC algorithm.
Not hard to manage, even on distributed environments. Most cloud providers offer secret management services that can easily be attached to most or all compute service. They also offer services to abstract away public/private keypair management, if you do need them.
In my experience, JWT is way easier to implement and manage in comparison to sessions. The first is stateless, the former is stateful...
Not to mention with JWT becoming the standard on many, many new commercial/open source projects, there is an increasing dev and code base geared towards this tech. There are reasons why you don't necessarily want all your data self-contained, but they're not particularly the reasons mentioned in this article imo.
Symmetric signing with public & private keys is not necessary for JWT. You can use a simple secret-based signing with an HMAC algorithm.
Not hard to manage, even on distributed environments. Most cloud providers offer secret management services that can easily be attached to most or all compute service. They also offer services to abstract away public/private keypair management, if you do need them.
In my experience, JWT is way easier to implement and manage in comparison to sessions. The first is stateless, the former is stateful...
Not to mention with JWT becoming the standard on many, many new commercial/open source projects, there is an increasing dev and code base geared towards this tech. There are reasons why you don't necessarily want all your data self-contained, but they're not particularly the reasons mentioned in this article imo.
There is something iffy about using same key for verifying and issuing tokens.