[hatefulheart]

Yes we have heard this before, React is only 30kb! But that misses the enormous amount of infra you need to even just do a basic fetch. (Read the post by the React Query author on whether you need React Query or not)

Likewise with JWTs for sessions you need to handle cache invalidation, revocation lists, key rotation, the list of difficult comp sci problems really does go on!

The same issue as always plaguing the frontend world. Up front “simplicity”, enormous actual complexity

[locknitpicker]

> Yes we have heard this before, React is only 30kb!

Not quite. You might be surprised to know, but the whole JOSE standard, and JWT in particular, specify a very limited set of fields. Whenever anyone starts requiring more than that, the responsibilities start to be offloaded to the likes of OpenID Connect.

[jkrejcha]

For those curious, here are the relevant specified fields along with the relevant standards (both IETF, OIDC, etc)

JWT: https://www.iana.org/assignments/jwt/jwt.xhtml

JOSE: https://www.iana.org/assignments/jwt/jwt.xhtml

[hparadiz]

This is actually really funny because I recently had this problem having to authenticate an internal repo with an OIDC but the script had to run so early in the bootstrap processes that the python google sdk is not yet installed so I had to manually install the SDK before apt is available by pulling it down manually to bootstrap the chicken or the egg problem. My initial implementation was using curl but folks insisted (rightly) on using the official SDK. I'm sure it's a lot more than 30kb though not during runtime per say.