specs/xrpc: more JWT fields; document typ

[bnewbold]

Pulls in the lxm and jti updates from: bluesky-social/atproto#2687

And the iat and jti fields, and typ values.

Please review the types (string/number/integer) and whether required or not. I'm not really sure how to specify the data type of, eg, iat: it is JSON so can't really say "integer", right? Just numeric? If these are floats, is it expected that they be validated with sub-second precision?

Trying to keep this PR tight/simple, so not reviewing/touching any "should" / "must" type language elsewhere in these sections.

Closes: #327

cc: @rudyfraser doing PDS work and generating inter-service auth JWTs

[devinivy]

I don't think we have formally intended to specify that this must be "JWT". We intentionally do not require that it take this value when we verify the token since we hadn't explicitly specified it. Wanted to leave the door open to a different value we might prefer more, e.g. perhaps something akin to at+jwt/refresh+jwt/dpop+jwt.

[bnewbold]

@matthieusieben had recommended this in #327.

I can mention the field and that it doesn't have a stable/specified value yet for this use-case?

[matthieusieben]

I indeed wanted to put something there. Whether it's JWT or something more specific is a more complex topic.

Either we consider that there will only ever be only one type of JWT in Atproto (besides access & refresh tokens) and JWT is fine. Or we want to be future proof and we might want to do something like service+jwt (or pds-2-pds+jwt, or whatever).

The important thing here is to make sure that a JWT generated for one particular purpose cannot be used for another purpose, while still allowing them to be signed with the same key
a dev could choose to implement a PDS from scratch using the same key everywhere
The only control we'd have is the typ header.

[bnewbold]

I updated with:

currently JWT, but intend to update to a more specific value