This post interesting JSON Web token vs. Session
"Simplicity" JWT, in fact, nothing different with the client side session, its advantages and disadvantages are the same:
Pros:
- The server need not store session data
- stateless
- Because there is no access to any storage service, ultra-fast validation process
- Easy to scale up
Cons:
- session is difficult to take the initiative to clear (unless expired)
- All information is exposed (or at risk of exposure)
Eventually I think a better approach is to combine the two: use of external session, provided a opaque the token (reference token) as the session id, to do the translation process in the gateway converts this reference token into a real jwt, then service within the gateway will use jwt.
见 muCon 2016: Authentication in Microservice Systems By David Borsos
Original: Big Box Micro Services authentication (authentication) problem