[miiiiiike]

With JWTs I don't do anything at the proxy beyond "This is a protected route. Is there a JWT? Is it valid? No to either? 403." This is one of the primary use cases for JWTs and it takes a majority of the load off of my application servers.

The route is open to the public for authenticated and authorized users. You wouldn't use a VPN here.

[andrewstuart2]

That's really just added work, IMO, and likely room for security misconfiguration between backend and proxy. You should still be validating and everything on the application server to inspect identity and possibly attributes like roles, so in the cases where you have invalid tokens you do the work once, just in the proxy instead of the backend, and with valid tokens you will do the signature validation work twice.

[miiiiiike]

Security starts at the edge.

Have you used JWTs in production? Better to bounce a bad JWT with a server written in C/C++/Rust/Go at the edge than to pass it back and have it tie up a Python or Node process.

Even in Python the time to validate a small JWT is negligible. At the edge it's nearly imperceptible.

[miiiiiike]

If you're concerned about misconfigurations, just verify/validate everything in tests.