The article has a point but it's over-dramatic about it.
The tokens are signed by the server, so they can't be modified before handing them back later or it will fail the signature check on the JWT and be discarded. So the expiry date of the token is something the server decides when it issues it; checking it for being "too long" at the server is meaningless then. The server doesn't think its own expiry dates it selected are "too long".
The signed tokens can actually contain arbitrary additional server-decided info such as client IP it was handed to, and the server can check when given it back that the client is still on the same IP. In the same way, the token can bind to a role (eg, allowed to read only account xyz).
So bearer tokens can still be part of zero trust, the part that says you knew one kind of login secret.
Re: Bearer tokens are just awful
The tokens are signed by the server, so they can't be modified before handing them back later or it will fail the signature check on the JWT and be discarded. So the expiry date of the token is something the server decides when it issues it; checking it for being "too long" at the server is meaningless then. The server doesn't think its own expiry dates it selected are "too long".
The signed tokens can actually contain arbitrary additional server-decided info such as client IP it was handed to, and the server can check when given it back that the client is still on the same IP. In the same way, the token can bind to a role (eg, allowed to read only account xyz).
So bearer tokens can still be part of zero trust, the part that says you knew one kind of login secret.