I understand that this will probably get shouted down due to the popularity of JWTs, but: I don't think Django should include any type of JWT support in the core framework.
JWTs are an absolute security nightmare. Some of the Django security team have heard me rant on this topic already, but: there is no such thing as a safe JWT implementation, because there are fundamental flaws in the design of JWT that cannot be remedied by just writing better implementations. Supporting them in Django, even to the minimal extent in the current PR, would encourage users of Django to adopt them, which goes against our historical trend of pushing best practices when it comes to application security, and would significantly add to the security team's burden because of the increased attack surface JWT support would open up. If Django does end up shipping some type of JWT support, I'd lobby very strongly for declaring it out of scope for our security process, and labeling it "use at your own risk". -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAL13Cg8Csr1ageZCEKm9bd12Tb_vosx_xLSV%2B8WfvoWi01%2BfPA%40mail.gmail.com.
