Describe the bug

The setup.py install script currently defines two "extras" that can be installed:

• rsa which only installs PyCA's cryptography package, and
• signedtoken which installs both cryptography and pyjwt packages.

There are two problems with this.

Firstly, with the RSA-SHA1 signature method in OAuth 1.0a, having just cryptography without pyjwt does not work. It needs both. It is also needed for RS256 tokens in OAuth 2.0 too: JWT is needed/imported by oauth2/rfc6749/clients/service_application.py, common.py and oauth1/rfc5849/signature.py.

Secondly, the "signedtoken" extras is not documented (except buried in a section about errors in the FAQ). The "rsa" extras is partially documented, and that would mislead users into thinking all they need to do is install the "rsa" extras and RSA-SHA1 and RS256 will work.

How to reproduce

Install using pip install oauthlib[rsa] and try using the OAuth 1.0a RSA-SHA1 signature method. It fails with an exception, because pyjwt has not been installed.

ModuleNotFoundError: No module named 'jwt'

Expected behavior

Expect installing "rsa" will make the OAuth 1.0a RSA-SHA1 signature method work.

Proposed solution

Is there a reason why someone would what to install cryptography installed for RSA support, but cannot (or must not) install pyjwt?

Can both installation extras be merged into a single "rsa" extras? Having one option makes installing less complicated, and less things that need to be documented.