[adolph]

> Since when were session tokens ever a bottleneck?

JWT allows for a user to authnz with a third party trusted by the second party. An example of this is HL7 FHIR SMART app launch, where an outside web application (2nd party) is opened from within an electronic medical records system (3rd party).

http://hl7.org/fhir/smart-app-launch/index.html

[magicalhippo]

Here in Norway, the gov't is using it the same role[1], where they have a single agency (Digdir) handling authorization, so that the other agencies don't have to deal with that and can just implement their APIs.

[1]: https://docs.digdir.no/docs/Maskinporten/maskinporten_summar...