Look into moving JWT support to PyJWT; consider whether or not we can make it a strict dependency (vs. optional)

[sirosen]

For JWT support, we allow users to install python-jose via the globus-sdk[jwt] extra. That makes the inclusion optional.
We made it optional because python-jose depends on pycrypto, which doesn't install cleanly without system libraries.

pyjwt is more mainstream than python-jose, and depends on cryptography. Among the many nice things about cryptography over pycrypto, it ships statically linked wheels for many platforms.

This means that a transition could do a couple of things for us:

• Improve the security of the tools we're implicitly endorsing, moving from pycrypto (which is dead) to cryptography
• Use deps more aligned with the CLI (which requires cryptography for delegate proxy)
• Possibly turn jwt support on by default, making cryptography a required dependency
  • This might work on our target platforms due to the static wheels as a format
  • We would need to expand our installation documentation to include notes on installing on the rare, unsupported platforms for cryptography
    e.g. sudo apt-get install build-essential libssl-dev libffi-dev python3-dev

However, this inherently makes globus-sdk installation more prone to failure. We're relying upon cryptography to retain good support for our target platforms, and if a platform is missing we expose a lot of extra setup burden.
We need to be very confident before pursuing this.

[bjmc]

It's perhaps worth noting that python-jose now supports multiple cryptography backends, including cryptography, so it may be possible to get the benefits of cryptography without switching to PyJWT.

[jaswilli]

Closed by #227.

We can revisit optional/automatic in the future.