Allow validating JWT against JWKS without kid

[couling]

Fixes #1072

get_signing_key Now accepts None for the kid and will match to the only JWKS signing key if there is only one. Otherwise it will not match.

get_signing_keys Now returns keys with a None kid to support this.

get_signing_key_from_jwt Now defaults the kid to None when it looks for it in the token.

match_kid now accepts None likewise.

[Copilot]

Pull Request Overview

Adds support for validating JWTs without an explicit kid by allowing None and matching when only one key is available.

• Removed the requirement that signing keys must have a kid in get_signing_keys
• Updated get_signing_key, get_signing_key_from_jwt, and match_kid to accept None for kid and handle single-key fallback
• Added logic in match_kid to return the lone key when kid is None and exactly one key exists

Comments suppressed due to low confidence (2)

jwt/jwks_client.py:120

• [nitpick] When kid is None and multiple signing keys exist, match_kid returns None, which may surface as an unclear error later. Consider raising a descriptive PyJWKClientError at this point to inform users that a kid is required when multiple keys are present.

    def match_kid(signing_keys: List[PyJWK], kid: Optional[str]) -> Optional[PyJWK]:

jwt/jwks_client.py:98

• Ensure you import Optional from the typing module or update your imports to avoid a NameError when using Optional[str].

    def get_signing_key(self, kid: Optional[str]) -> PyJWK:

[couling]

I've converted this back to a draft. For now. I've just spotted something stranger in the example I'm seeing in the wild and I want to be sure that both the issue #1072 and this PR are capturing the correct behaviour. Both for RFC standard and real working example.