Every authentication system i ever implemented (and I worked on many) needed some way to invalidate sessions regardless whether it’s self service for the user or not.
And once you do you need some state and then JWTs don’t make much sense anymore. There are of course many valid use cases for JWT so “JWT bad” is a very reductive take
It's curious: very few authentication systems I ever implemented needed some way to invalidate sessions.
You either reissue tokens constantly, every couple minutes or so, or you have to reliably invalidate.
Maybe you do. Why would I have to do that?
Because it's bad to ship products where a compromised token can never be recovered from. Revocation is the essential hard problem in authentication/authorization.