Really neat overview of something that usually is a bit of a pain in the ass!
Just a small note regarding something Rui said: JWT doesn't imply you have private/public key pair (aka asymmetric key), you can also sign a token with a regular symmetric key. This is an easier scenario that might be better suited in some cases, although not this one specifically.