Episode 095: 3‐13‐2025 Are JWTs bad for authz? - GluuFederation/identerati-office-hours GitHub Wiki

Title: Are JWTs bad for authz?

• Host: Mike Schwartz, Founder/CEO Gluu

• Guest: Eli Nesterov, Co-founder and CTO of SPIRL

• Linkedin Event

• Youtube Video

Description

Relying on data in token claims for authorization is a slippery slope that can lead to unexpected failures and painful debugging sessions. JWT bloat—caused by excessive claims—can run into header size limitations, triggering intermittent outages due to constraints on proxies, load balancers, and firewalls. Beyond sheer size, data encoding schemes introduce additional complexity, especially when dealing with binary-encoded claim values. Dynamic claims in tokens can also risk inconsistency if not handled properly. And then there's the issue of revocation. In this episode, we’ll break down the hidden dangers of overloading JWTs, consider real-world horror stories, and discuss best practices for keeping your tokens lean or when you should consider reference tokens instead.

Homework

• Cerbos Blog: The Case Against Token-Based Authorization
• Permit.IO Blog: JWTs Aren’t Made for Authorization

Takeaways

TBD

Livestream Audio Archive

Will be Here