Why not? The article does not really answer why not.
> This is a problem because the ability to read your user profile isn’t a good identity proof. You might grant that capability to applications for reasons having nothing to do with whether they can “log in with Twitter” to a dating app. People found a bunch of vulnerabilities.
> Enter OpenID Connect (OIDC). OIDC is the demon marriage of OAuth 2.0 and a cryptographic token standard called JWT. OIDC’s is unambiguous: it gives you an “Identity Token”, JWT-encoded, that tells you who’s logging in.
Ah, so it’s more of a case “don’t use jwt… incorrectly“.
I also recommended looking at UMA2 and resource servers. Keycloak has, what I’d call, my to go reference implementation.
> This is a problem because the ability to read your user profile isn’t a good identity proof. You might grant that capability to applications for reasons having nothing to do with whether they can “log in with Twitter” to a dating app. People found a bunch of vulnerabilities.
> Enter OpenID Connect (OIDC). OIDC is the demon marriage of OAuth 2.0 and a cryptographic token standard called JWT. OIDC’s is unambiguous: it gives you an “Identity Token”, JWT-encoded, that tells you who’s logging in.
Ah, so it’s more of a case “don’t use jwt… incorrectly“.
I also recommended looking at UMA2 and resource servers. Keycloak has, what I’d call, my to go reference implementation.