Personally, I've hand-written a few JWT implementations, and usually avoid even using a few of the "standards" often avoiding even reading the header. This is because usually I've used them for internal systems calling other systems.
If you avoid reading the header, and have standard policy on signatures, combined with very short lived tokens (max 1m) combined with https, there is minimal risk.
Yes, the standard is flawed, that doesn't mean the structure is inherently bad, or that using said design is bad by itself.
If you avoid reading the header, and have standard policy on signatures, combined with very short lived tokens (max 1m) combined with https, there is minimal risk.
Yes, the standard is flawed, that doesn't mean the structure is inherently bad, or that using said design is bad by itself.