fix: harden self signed JWK header

[DeepDiver1975]

refs https://portswigger.net/kb/issues/00200902_jwt-self-signed-jwk-header-supported

JWK header shall not be used without verification.

Usage:

In case self signed JWK header is desired to be used (very rare cases from my understanding) the class OpenIDConnectClient shall be sub classed and the method verifyJWKHeader implemented as needed

use Jumbojett\OpenIDConnectClient;
use Jumbojett\OpenIDConnectClientException;

class MyOpenIDConnectClient extends OpenIDConnectClient
{
    protected function verifyJWKHeader($jwk)
    {
        # TODO: add your own logic to verify
        if ($not_valid) {
            throw new OpenIDConnectClientException('Self signed JWK header is not valid');
        }
    }
}

List of common tasks a pull request require complete

• Changelog entry is added or the pull request don't alter library's functionality