Make the jti claim optional as per RFC 7519 Section 4.1.7

[ajhodges]

RFC 7519 Section 4.1.7 states that the jti claim is optional. It's fine for this library to be opinionated and always include a jti on generated tokens, but it should not require the claim to be present when validating tokens. This PR removes that check.

The unit tests on this PR will fail until #61 is merged.

[davesque]

Is there a reason you don't want that claim to be present? The purpose of the claim in this library is to provide a key into the token blacklist.

[ajhodges]

I don't use simplejwt to create my tokens (I actually use https://github.com/juanifioren/django-oidc-provider), I'm using simplejwt more as a substitute for this unmaintained library: jpadilla/django-rest-framework-jwt#449

And I suspect others will be looking into this library for the same reasons as well.

[davesque]

@ajhodges

Cool, good to know. It's making me realize that I had originally designed this library as a self-contained solution for a particular project on which I was working but I neglected to consider how it might interact with other JWT systems.

Off the top of my head, I believe removing the jti requirement would have implications for other parts of the library that deal with token revocation. But I'll have to look over everything again to be sure. Feel free to poke around yourself and summarize whatever you find out here.

[ajhodges]

When I made this change I did a quick search through all the references to jti and didn't see anything that really stuck out to me (but we also are not revoking tokens atm). For whatever it's worth we've been using our fork with this change for the past month or so, and the authentication class/tokenuser functionality has been working great for us in multiple projects.

[ajhodges]

This has been addressed via #115