From what I can see in the lib, here are some quick differences:
- For the django lib, the refresh token (per session) doesn't change. This means that if those are compromised, your user's account is compromised as well - for an extended period of time. The flow is as good as having just one long lived token. In our case, we keep changing the refresh token on each use, which allows us to detect theft
- It seems that they are not using httpOnly cookies. Which goes against session best practices.
- They do not seem to provide some of the control features of sessions like to be able to get a list of sessions for a user and revoke any one, change the session tokens after access or password change.
- Unlike us, they have login and password management functionality, which is great.
Please correct me if any of my assumptions about djoser are incorrect. You can still use them for login and password reset flows, and use us for sessions. :))