Is JWT an alternate for sticky session when we implement oAuth

Question

I would like to know if oauth implementation with JWT is an alternate for sticky session? If while using JWT, the complete payload/signature info is sent between client and load balanced servers, then why do we still need sticky sessions? One of the senior architects was saying that the sticky session is required even if we use JWT, but I don’t get his point as why is sticky session required.

Please help!

Regards, Sriram

Answer 1

Sticky sessions are best avoided these days by API servers. Consider a cluster with 10 instances:

• The JWT is stateless
• But to verify it an instance usually needs to download the token signing public key from a JWKS endpoint
• The kid in the JWT header is then cached against the token signing public key, typically by a JWT library
• The kid lookup happens only once per instance, even if there are 10,000 different users

All of this means that being non-sticky is preferred under load, since there is no overhead to hitting a different server.