RFC7523: PrivateKeyJWT and ClientSecretJWT headers ignored

[dhallam]

Describe the bug

This is in relation to RFC7523 and the PrivateKeyJWT and ClientSecretJWT classes' sign method. Each class can be initialised with a headers dictionary. In ClientSecretJWT, the self.headers is passed to client_secret_jwt_sign as a kwparam called headers. PrivateKeyJWT doesn't actually pass the headers through to private_key_jwt_sign at all, but should (that's the first problem). This allows people to set things like the kid on the JWT header.

The second problem is that the sign_jwt_bearer_assertion expects a kwarg called header and not headers. At the moment, the headers from ClientSecretJWT.sign() appear to be ignored.

In summary, two issues:

• PrivateKeyJWT should pass the self.headers into the private_key_jwt_sign call.
• Both ClientSecretJWT and PrivateKeyJWT should pass header=self.headers in the calls to client_secret_jwt_sign and private_key_jwt_sign respectively.

I can create a PR, but I can't see any existing tests for the RFC7353 code in the codebase that I can enhance. Any guidance would be greatly appreciated.

Error Stacks

None

Expected behaviour

I would expect the headers to be passed through and included in the JWT.

Environment:

• OS: Ubuntu 22.04 (but not relevant here)
• Python Version: 3.10.7 (but not relevant here)
• Authlib Version: latest from master (commit cadc55d)

Additional context

This is being used to implement a flask application that used OIDC Connect with private_key_jwt.

[dhallam]

Duplicate of #515