Dumb post written by dumb people.
Cannot even understand the tradeoffs between public verified auth tokens and opaque tokens.
Thinks Redis works for all usecases and scales, free of cost.
Yeah, I was reading this and thinking "they have a point, if they refer to talking about a personal project. They might have a point in some place where a simple auth and session cookies are enough.
Go into a company infrastructure that has a multitude of different systems (first and third party) and also some identity management system and SSO - now we're closer to the use case of a JWT. There's a saying "never roll your own crypto" - that somewhat applies to auth as well. There's so much that can (and will) go wrong.
They do have a point about token revocation (or the additional round trip for that), but... I'm the scenario above, why would you issue tokens that are valid longer than a day or a few hours??
Posts from the RSS Feed of HackerNews.
The feed sometimes contains ads and posts that have been removed by the mod team at HN.