feat: Add Key ID (kid) support to JWT assertions

Adds support for the 'kid' (Key ID) header parameter in JWT assertions,
allowing clients to specify the key identifier used for signing. This
improves key management and verification in systems consuming JWTs.

Updates `OAuth2::Strategy::Assertion#build_assertion` to accept
`kid` in `encoding_opts` and include it in the JWT header.
Also adds a test case to verify the functionality.

Author: mridang

lib/oauth2/strategy/assertion.rb

@@ -95,8 +95,12 @@ def build_request(assertion, request_opts = {})
       def build_assertion(claims, encoding_opts)
         raise ArgumentError.new(message: "Please provide an encoding_opts hash with :algorithm and :key") if !encoding_opts.is_a?(Hash) || (%i[algorithm key] - encoding_opts.keys).any?
 
-        JWT.encode(claims, encoding_opts[:key], encoding_opts[:algorithm])
+        headers = {}
+        headers[:kid] = encoding_opts[:kid] if encoding_opts.key?(:kid)
+
+        JWT.encode(claims, encoding_opts[:key], encoding_opts[:algorithm], headers)
       end
+
     end
   end
 end

spec/oauth2/strategy/assertion_spec.rb

@@ -164,6 +164,24 @@
             expect { client_assertion.get_token(claims, encoding_opts) }.to raise_error(ArgumentError, /encoding_opts/)
           end
         end
+
+        context "when including a Key ID (kid)" do
+          let(:algorithm) { "HS256" }
+          let(:key) { "new_secret_key" }
+          let(:kid) { "my_super_secure_key_id_123" }
+
+          before do
+            client_assertion.get_token(claims, algorithm: algorithm, key: key, kid: kid)
+            raise "No request made!" if @request_body.nil?
+          end
+
+          it_behaves_like "encodes the JWT"
+
+          it "includes the kid in the JWT header" do
+            expect(header).not_to be_nil
+            expect(header["kid"]).to eq(kid)
+          end
+        end
       end
     end