[hvb2]

What about the other claims, aud and iss for example. And automatically being able to validate those tokens through OIDC?

And don't pretend that the 2 are not related because typically an OIDC provider is the thing issuing those JWTs.

So, can you simplify, sure. And now every part of your application needs access to that same table of sessions to get revocation.

It works fine for simple applications not for large solutions with many different systems that cross org boundaries. Because in a lot of orgs the boundaries of the services are more organizational than technical. If you want to be the one that makes them all depend on your SPOF, go ahead, I want to see you sell that idea to your CTO