[dragonwriter]

This is kind of a mess. The title says it authenticates the client not the user, but it doesn't actually talk much about authn. What it actually seems to argue (with some detail, but incomplete to remotely make the case) is that the JWT should be used only to validate user->client authz, not user authz.

It fails to really do this, as it notes some IAM systems can be used to transmit user authz information in it, and it provides no substantive reason to reject that use, it just asserts that it's wrong and that there are (unspecified) better alternatives (which it also fails to explain how they are better concretely.)

Waving a hand at more efficient and secure is nice, but show me a concrete security concern or evidence that another way is more efficient given that I'm already paying the cost to decode and parse the JWT and maybe I'll believe you.