DPoP Proof JWT should not have kid within its JWT header paramenters

[peppelinux]

The current implementation of DPoP (Demonstration of Proof-of-Possession) is incorrect. It requires the inclusion of a kid (Key ID) in the dpop+jwt (JSON Web Token), which is not necessary according to the DPoP specification.

[LadyCodesItBetter]

Currently, the kid is automatically added by the cryptojwt library during key generation. For example, in the test_dpop.py file, we use the method new_ec_key:

PRIVATE_JWK_EC = new_ec_key('P-256')

This method automatically assigns a kid if none is explicitly provided, through the _rk.add_kid() call in the library.

The question is: do we want to remove the kid afterward to comply with the DPoP specification, or is it acceptable to keep it as a SHOULD NOT meaning?

If we decide to remove the kid, we could implement an explicit solution in both the tests and the DPoPIssuer class to ensure the parameter is excluded from the JWT header.

@peppelinux looking for confirmation on how to proceed to align with the specification and avoid any ambiguity.

[peppelinux]

before using the key for the signature, remove the kid from the EC object

[Zicchio]

We already have a flag to include (or drop) a kid from a token header; but I'm not if it is unit tested and the logic might not be 100% sound - maybe start from there

eudi-wallet-it-python/pyeudiw/jwt/jws_helper.py

Line 58 in 68246ab

kid_in_header: bool = True,

eudi-wallet-it-python/pyeudiw/jwt/jws_helper.py

Lines 123 to 131 in 68246ab

	if kid_in_header and signer_kid:
	protected["kid"] = signer_kid # note that is actually redundant as the underlying library auto-update the header with the kid
	# this is a hack: if the header to be signed does NOT have kid and we do
	# not want to include it, then we must remove it from the signing kid
	# otherwise the signing library will auto insert it
	if not kid_in_header and not header_kid:
	signing_key = deepcopy(signing_key)
	signing_key.pop("kid", None)