Auth with JSON Web Tokens

I still don&#x27;t understand the benefit of JSON Web Tokens over cookies after reading this and the associated blog post by Alberto Pose<p><a href="http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/" rel="nofollow">http:&#x2F;&#x2F;blog.auth0.com&#x2F;2014&#x2F;01&#x2F;07&#x2F;angularjs-authentication-wi...</a><p>They seem like they are recreating the cookie mechanism using browser local storage and HTTP Authenticate headers, but without any of the associated browser security. I guess the use case would be when you want use a cookie across domains...?<p>Aren&#x27;t cookies restricted for a reason? Can&#x27;t anyone who can execute JS on that domain can swipe the JWT token out of storage and then impersonate the user?<p>One reasonable use case for JWT is to replace SAML assertions for single-sign on (SSO) from one web application to another, like Zendesk is doing:<p><a href="https://support.zendesk.com/entries/23675367-Setting-up-single-sign-on-with-JWT-JSON-Web-Token-" rel="nofollow">https:&#x2F;&#x2F;support.zendesk.com&#x2F;entries&#x2F;23675367-Setting-up-sing...</a><p>Here, the JWT is stored not in the browser but on the server in the app trying to SSO with the identity provider (in this case Zendesk).

Worth mentioning is that JWT is used in the OpenID Connect standard, which is built on top of OAuth 2) for the authentication part. We use it in <a href="https://userbin.com" rel="nofollow">https:&#x2F;&#x2F;userbin.com</a> to smoothly transfer user sessions between different platforms. Previously we used to roll our own (de-)serialization, signing, session expiration and encryption schemes, but JWT solves a lot of pain and makes it more obvious for developers to understand how this part of our authentication flow works, and are able to use the JWT libraries available in most programming languages.

Much clearer than the various Internet-Drafts; thanks!