[omgitstom]

Thanks, Evan. these are all good points, I'm surprised to see this on HN since it is an old article I wrote.

In regards to the replay attacks, if you are using JWTs in a 3 party setup, and they are validating JWTs locally (not sending them back to a validation endpoint), the jti claim won't be enough.

Thanks again for clearing that up! Considering this blog post may still have a use, I'll update it soon.

[ejcx]

Heheheh, no problem. I recognized it was your article, Tom. Sorry to be pedantic. Jose is really just way too complicated. Go Dukes!

[omgitstom]

Definitely not pedantic! Believe it or not, JOSE was still a draft when this blog post was released into the wild.

[monknomo]

What would you need in addition to a jti claim in a 3 party setup with local validation?