Fix bug when sign JWT on Android platform

[laurentyhuel]

Fix bug #131 , #191, #185 : cannot sign JWT on Android platform.
I choose reflection to check if code is execute on Android platform why:

1. Because not need to embed a new library for instance:
   dependencies {
   compileOnly "com.google.android:android:4.1.1.4"
   }
2. Because it seems the more secure way to check if code is execute on Android platform
   It' also possible to get platform with System.getProperty() : https://stackoverflow.com/questions/4519556/how-to-determine-if-my-app-is-running-on-android
   but result could differ depends on os version, manufacturer, ...

[lbalmaceda]

Ughh!
Thanks for the PR. Personally, I don't like the use of reflection as it's too hacky and may break without us noticing. In addition, I don't think those 3 issues you mention are "bugs" because we decided up-front that this library was meant to be used on Java-only environments, leaving a side Android which has its own decode library here. As mentioned in one of the issues, there's no need for you to sign or even verify a token from the Android client side. You should trust your server and its implementation. What's your use case?

[laurentyhuel]

Our use case:
On android device, we receive a oauth token from few 3rd party OAuth servers (partners).
Android create a JWT with this oauth token and other properties.
Android call our server with JWT.
Our server get oauth otken from JWT.
Our server check oauth token to a 3rd party OAuth servers (partners).

So yes, you need to sign JWT on Android (it's not just for the fun).

I'm agree with you reflection, is not sexy, but in this case it seems to be the more robust way to do it.

I could add unit tests to coverage this part.

[lbalmaceda]

There's no way to keep the secret/private_key secure in Android (anyone can see/modify it) so what's the point in signing the JWT? Ok, you could make the server use the public_key (in the case of HMAC) to verify the incoming signature, but even then anyone can sign tokens with your private_key as you're keeping it on the device, meaning your server would trust anything blindfolded. The tokens must always be signed on the server.
If you just want to use a JWT to wrap all the third-party tokens then that's just a JSON, the same as doing a post with a JSON body to your server with each token in a property or even an array of tokens.