Cross site related security also exists in standard OAuth2 flow. Spring Security also provides related solutions. This is really another topic.

My solution is just a simplified alternative of the OAuth 2 Resource Owner Password Flow, which is no need to manage the client applications.

As I know a lot of web frameworks(I also code PHP, NodeJS) provide similar buit-in jwt token solutions. If you personally think it did not satisfy your requirements, just skip it. It is really no need to show your rude side here.