Can you be more specific? a JWT's structure is really simple and easier to process compared to what came before (SAML, etc).
I accept there's fragility in the wider distributed-authX/federation ecosystem (e.g. browser cookie policies breaking OIDC), but that's not inherent in JWT.
Nothing in that article mentions any kind of "fragility" in JWT's design - and the issues it documents (e.g. consumers overrwriting the signature portion) concern only extremely non-compliant (i.e. dodgy) JWT scenarios - which sounds like someone applying a bodge because they were forced to implement JWT because it was thrust onto them, usually because JWT is already so popular already - so it's nothing inherent in JWT specifically, but any kind of distributed, non-opaque and structured authX/id-token would suffer from the exact same problems - though I appreciate the textual-basis of JSON and JWT lower the barrier-to-entry-for-bodging compared to binary formats like ASN.1 (though I speculate that if we had to use a binary format today I think things would be a lot worse overall, due to second-order effects of using a binary format, e.g. relating to higher barriers-of-entry).
No, none of that is true. Follow the links, too. Really, the whole article is about how to do better than JWT in an auth token format.
It's always interesting to come across people who are surprised by things like JWT being considered a poor format. The only reason you don't see this said all the time in 2023 is that it was settled years ago. Cryptography engineers hate JWT.
It is indeed an appeal to authority. And, if you read the comment again, you'll see that you're agreeing with me: hearing that JWT is bad surprised the previous commenter precisely because we've stopped having meaningful discussions about whether JWT is good; it isn't, the case is closed, there's not much more to talk about.
