They seem like they are recreating the cookie mechanism using browser local storage and HTTP Authenticate headers, but without any of the associated browser security. I guess the use case would be when you want use a cookie across domains...?
Aren't cookies restricted for a reason? Can't anyone who can execute JS on that domain can swipe the JWT token out of storage and then impersonate the user?
One reasonable use case for JWT is to replace SAML assertions for single-sign on (SSO) from one web application to another, like Zendesk is doing:
Here, the JWT is stored not in the browser but on the server in the app trying to SSO with the identity provider (in this case Zendesk).
re: cookies vs xss. Expanding on sil3ntmac comment, based on my experience, it's easier to protect against XSS than protecting against CSRF. For CSRF you have to be aware of: set your cookies to HttpOnly and have a xsrf mechanism in place (which is not straightforward and not the default in many web frameworks, even worse if you start combining technologies). For XSS, you just need to make sure any input is sanitized, which usually most of the web frameworks provide something built-in.
Another interesting side effect of using JWT is that now you have a good cross-platform authentication mechanism that can cross boundaries. You can also achieve that with cookies, but you have to find the same implementation on different frameworks. We talk about this in this blog post about socket.io and json web tokens where it's very common to find PHP and node.js mixed.
We will write follow up blog posts about pros/cons, because as usual there is no silver bullet.
> Aren't cookies restricted for a reason? Can't anyone who can execute JS on that domain can swipe the JWT token out of storage and then impersonate the user?
HTTP-only cookies prevent attacker from swiping yes, but if you have the ability to execute JS on an arbitrary domain, you can just do your XSS attacks there, the browser will attach the cookie, and attacker has already won.