Deprecate JWS

[davidism]

I'm not very familiar with the standard, so it's hard to maintain. People keep mistaking JWS for JWT and then think we're not implementing things correctly. JWS seems to behave somewhat orthogonally to itsdangerous. There are libraries with dedicated JW* implementations, such as pyjwt or authlib or python-jose. It should still be possible to create a signer subclass that uses these libraries.

[davidism]

#54 has some previous discussion.

[lepture]

It is caused by the names used in itsdangerous. If we put names like exp into payload, it is a valid JWT then.

[lepture]

JWS is not used in Flask. I think we can remove it from itsdangerous.

[aviau]

Ah. That's unfortunate. Given the popularity of itsdangerous I would expect that the JWS implementation has a large number of users.