When validating a JWT in APIcast, we currently validate the JWT header alg against the JWK alg.

Some OIDC providers (such as AzureAD) do not specify an algorithm in the JWKs as this field is optional. 

We should only validate the alg field against the JWK if it is actually present in the JWK.

**This DOES NOT mean we should not validate it against the whitelisted algorithms present in the service discovery endpoint, as these are two separate checks.

Dev notes: It's an easy fix that can be resolved by checking for the existence of the alg field returned in the jwk and skipping the matching logic with the jwt.header.alg in case it doesn't exist. Regarding the vulnerability that was addressed in the last release that behaviour will be unaffected but for customers using OpenID Providers which do not set an alg value in the jwk they will be offered slightly less security (that is an implementation detail of the OpenID Provider and not 3scale/APIcast)