Support `none` alg

[azmeuk]

The OpenID Connect certification suite performs tests with OIDC request objects (also described in RFC9101) that use the 'none' alg. Here is an example of request object built by the test suite:

eyJhbGciOiJub25lIn0.eyJzY29wZSI6Im9wZW5pZCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly93d3cuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0L3Rlc3QvYS9DYW5haWxsZS9jYWxsYmFjayIsInN0YXRlIjoib09pTVNMZ1VNOCIsIm5vbmNlIjoiR2Jaa2JwZkpIZCIsImNsaWVudF9pZCI6Im9hQnQ3dFN5UElJaFE4Mk9HZEpFVlZ1ektDa1JvS0dINmJjMXZiYzk0cSJ9.

Currently, joserfc does not allow to read such a JWT:

>>> payload = "eyJhbGciOiJub25lIn0.eyJzY29wZSI6Im9wZW5pZCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly93d3cuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0L3Rlc3QvYS9DYW\
5haWxsZS9jYWxsYmFjayIsInN0YXRlIjoib09pTVNMZ1VNOCIsIm5vbmNlIjoiR2Jaa2JwZkpIZCIsImNsaWVudF9pZCI6Im9hQnQ3dFN5UElJaFE4Mk9HZEpFVlZ1ektDa1JvS0dINmJjMXZiYzk0cSJ9."
>>> from joserfc import jwt
>>> jwt.decode(payload, None)
Traceback (most recent call last):
  File "<python-input-2>", line 1, in <module>
    jwt.decode(payload, None)
    ~~~~~~~~~~^^^^^^^^^^^^^^^
  File "/home/eloi/dev/joserfc/src/joserfc/jwt.py", line 96, in decode
    header, payload = _decode_jws(_value, key, algorithms, registry)
                      ~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/eloi/dev/joserfc/src/joserfc/jwt.py", line 121, in _decode_jws
    jws_obj = deserialize_compact(value, key, algorithms, registry)
  File "/home/eloi/dev/joserfc/src/joserfc/jws.py", line 171, in deserialize_compact
    if not validate_compact(obj, public_key, algorithms, registry):
           ~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/eloi/dev/joserfc/src/joserfc/jws.py", line 139, in validate_compact
    key: Key = guess_key(public_key, obj)
               ~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/home/eloi/dev/joserfc/src/joserfc/jwk.py", line 77, in guess_key
    raise ValueError("Invalid key")
ValueError: Invalid key

It is neither possible to build a JWT with the none alg:

>>> jwt.encode({"alg": "none"}, {"k": "value"}, None)
Traceback (most recent call last):
  File "<python-input-3>", line 1, in <module>
    jwt.encode({"alg": "none"}, {"k": "value"}, None)
    ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/eloi/dev/joserfc/src/joserfc/jwt.py", line 71, in encode
    return serialize_compact(_header, payload, key, algorithms, registry)
  File "/home/eloi/dev/joserfc/src/joserfc/jws.py", line 112, in serialize_compact
    alg: JWSAlgModel = registry.get_alg(protected["alg"])
                       ~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
  File "/home/eloi/dev/joserfc/src/joserfc/rfc7515/registry.py", line 60, in get_alg
    raise UnsupportedAlgorithmError(f"Algorithm of '{name}' is not recommended")
joserfc.errors.UnsupportedAlgorithmError: unsupported_algorithm: Algorithm of 'none' is not recommended

[lepture]

According to https://datatracker.ietf.org/doc/draft-ietf-jose-deprecate-none-rsa15/

none will be deprecated. How about adding a warning when using none?

[azmeuk]

Why not, but I think users should be able to disable the warning. The none alg is still required for OIDC certification, so until the OIDC certification requirements evolve, the warning might be annoying.
What do you think?