jti in jwt and stateless?

[Choco-milk-for-u]

OWASP MASTG reccomend you to:

Make sure that replay attacks are addressed with the jti (JWT ID) claim, which gives the JWT a unique identifier.

and also insist on:

If access and refresh tokens are used with stateless authentication, they should be deleted from the mobile device. The refresh token should be invalidated on the server ↗.

basically giving the idea of querying the database when working with JWT. Why can't I use the session if I will have any kind of state anyway?
thank you for the help in advance.

[sushi2k]

Deny lists can be used in scenarios where you need to revoke tokens before they naturally expire, such as when a user logs out, their account is compromised, or roles/permissions change. Refresh tokens are usually long lived (weeks or months) and this is a common way to revoke them.

If you don't need to utilize the features of JWT (for example it can scale more easily, as there’s no need to replicate session data across servers in distributed architectures) a session can also be utilised and should be utilised to not overcomplicate the architecture. In the context of mobile apps JWT can be seen due to the "silent refresh" that can be done through access and refresh tokens without the user logging in again. Also all user-identifying information can be stored in a client-side token, compared to query it from a database for Stateful authentication.

Hope that helps.

[Choco-milk-for-u]

Hi thank you for your response, did I get it right that, unless in specific scenarios such as when using silent refresh for mobile, I should use sessions to avoid overcomplicating the architecture, as a deny list is still considered stateful?