JWT header parsing is too strict.

[PipocaQuemada]

Currently, JWTtyp requires that the 'typ' in a JWT header is the string JWT.

However, the JWT spec (see https://tools.ietf.org/html/rfc7519#section-5.1) says

If present, it is RECOMMENDED that its value be "JWT" to indicate that this object is a JWT. While media type names are not case sensitive, it is RECOMMENDED that "JWT" always be spelled using uppercase characters for compatibility with legacy implementations.

I'm currently running into some problems because an external application is sending me JWTs with "typ"="at+jwt", so parsing the header fails.

[PipocaQuemada]

Looking at the spec, https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.9 mentions that

This parameter is ignored by JWS implementations; any processing of this parameter is performed by the JWS application.

Based on that, I think tsec should just parse it as an Option[String], and accept anything in there as valid. Particularly because none of the RFCs specify valid values for that field, only recommended ones. We should default to generating "typ"="JWT", but not require that when parsing a JWT.