deprecate jws

5 files changed, 34 insertions, 6 deletions

diff --git a/CHANGES.rst b/CHANGES.rst
index c426474..3cec4ca 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -4,6 +4,9 @@ Version 2.0.0
 Unreleased
 
 -   Drop support for Python 2 and 3.5.
+-   JWS support (``JSONWebSignatureSerializer``,
+    ``TimedJSONWebSignatureSerializer``) is deprecated. Use a dedicated
+    JWS/JWT library such as authlib instead. :issue:`129`
 -   Importing ``itsdangerous.json`` is deprecated. Import Python's
     ``json`` module instead. :pr:`152`
 -   Simplejson is no longer used if it is installed. To use a different
diff --git a/docs/index.rst b/docs/index.rst
index c5b16cb..2e3990a 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -60,7 +60,6 @@ Table of Contents
     exceptions
     timed
     url_safe
-    jws
     encoding
     license
     changes
diff --git a/docs/jws.rst b/docs/jws.rst
index 06f5bcd..7d13441 100644
--- a/docs/jws.rst
+++ b/docs/jws.rst
@@ -1,8 +1,17 @@
+:orphan:
+
 .. module:: itsdangerous.jws
 
 JSON Web Signature (JWS)
 ========================
 
+.. warning::
+    .. deprecated:: 2.0
+        ItsDangerous will no longer support JWS in version 2.1. Use a
+        dedicated JWS/JWT library such as `authlib`_.
+
+.. _authlib: https://authlib.org/
+
 JSON Web Signatures (JWS) work similarly to the existing URL safe
 serializer but will emit headers according to `draft-ietf-jose-json-web
 -signature <http://self-issued.info/docs/draft-ietf-jose-json-web
diff --git a/src/itsdangerous/jws.py b/src/itsdangerous/jws.py
index 0f38155..73ee84c 100644
--- a/src/itsdangerous/jws.py
+++ b/src/itsdangerous/jws.py
@@ -1,5 +1,6 @@
 import hashlib
 import time
+import warnings
 from datetime import datetime
 from datetime import timezone
 from decimal import Decimal
@@ -22,6 +23,9 @@ from .signer import NoneAlgorithm
 class JSONWebSignatureSerializer(Serializer):
     """This serializer implements JSON Web Signature (JWS) support. Only
     supports the JWS Compact Serialization.
+
+    .. deprecated:: 2.0
+        Use a dedicated library such as authlib.
     """
 
     jws_algorithms = {
@@ -46,6 +50,12 @@ class JSONWebSignatureSerializer(Serializer):
         signer_kwargs=None,
         algorithm_name=None,
     ):
+        warnings.warn(
+            "JWS support is deprecated and will be removed in 2.1. Use"
+            " a dedicated JWS/JWT library such as authlib.",
+            DeprecationWarning,
+            stacklevel=2,
+        )
         super().__init__(
             secret_key=secret_key,
             salt=salt,
diff --git a/tests/test_itsdangerous/test_jws.py b/tests/test_itsdangerous/test_jws.py
index e57e5cb..63ce111 100644
--- a/tests/test_itsdangerous/test_jws.py
+++ b/tests/test_itsdangerous/test_jws.py
@@ -1,5 +1,4 @@
 from datetime import timedelta
-from functools import partial
 
 import pytest
 
@@ -17,7 +16,11 @@ from test_itsdangerous.test_timed import TestTimedSerializer
 class TestJWSSerializer(TestSerializer):
     @pytest.fixture()
     def serializer_factory(self):
-        return partial(JSONWebSignatureSerializer, secret_key="secret-key")
+        def factory(secret_key="secret-key", **kwargs):
+            with pytest.deprecated_call():
+                return JSONWebSignatureSerializer(secret_key=secret_key, **kwargs)
+
+        return factory
 
     test_signer_cls = None
     test_signer_kwargs = None
@@ -68,9 +71,13 @@ class TestJWSSerializer(TestSerializer):
 class TestTimedJWSSerializer(TestJWSSerializer, TestTimedSerializer):
     @pytest.fixture()
     def serializer_factory(self):
-        return partial(
-            TimedJSONWebSignatureSerializer, secret_key="secret-key", expires_in=10
-        )
+        def factory(secret_key="secret-key", expires_in=10, **kwargs):
+            with pytest.deprecated_call():
+                return TimedJSONWebSignatureSerializer(
+                    secret_key=secret_key, expires_in=expires_in, **kwargs
+                )
+
+        return factory
 
     def test_default_expires_in(self, serializer_factory):
         serializer = serializer_factory(expires_in=None)