But doesn't JWT sometime force people to use it in an insecure way because of how it is designed?
In a JavaScript browser app without backend server it is impossible to use it safe. The token must be visible to JavaScript which is unsafe by default.
You also need to store both the token and refresh token in your app which makes the refresh safety feature useless.
I still don't get JWT. It solves requesting an auth server all the time but when the token is stolen it can be used until it expires. This can be solved by setting the expiration very low but then the auth server is still requested all the time.
The only insecure-by-design authentication scheme is passing the user identifier through HTTP headers (it's unfortunately quite common). Headers are set by the web client, so any client can assume to be anyone.
In a JavaScript browser app without backend server it is impossible to use it safe. The token must be visible to JavaScript which is unsafe by default.
You also need to store both the token and refresh token in your app which makes the refresh safety feature useless.
I still don't get JWT. It solves requesting an auth server all the time but when the token is stolen it can be used until it expires. This can be solved by setting the expiration very low but then the auth server is still requested all the time.