Fix jwt verification (keycloak issue)

[dianagudu]

This should fix the issue that came up with the new egi dev instance.

It extends the jwt.PyJWKClient class to fix how the signing keys are retrieved from the jwks_uri:

• encryption keys (with "use"=="enc") are ignored, since pyjwt does not support this
• if the token header contains the key id ("kid"), the key is retrieved by id from the jwks_uri
• since "kid" is optional, we can retrieve the signing key by the only mandatory fields:
  • "alg" in header, which can be used to infer the key type
  • "kty" (key_type) in JWK, to retrieve the first (should be the only one) key of this type from the jwks_uri

Does not fix:

• jwt.PyJWKClient.get_jwk_set fails if jwks_uri contains encryption keys

References:

• JSON Web Token Best Current Practices
• JSON Web Key (JWK)
• JSON Web Algorithms (JWA)

[marcvs]

Wow you're fast!! I tested it, works fine for me!