feat(jwt-auth): support key_claim_name in JWT header

[esistfarouk]

Description

Summary

Currently, the jwt-auth plugin strictly searches for the key_claim_name (used to identify the Consumer) within the JWT Payload. However, many identity providers and standard JWT implementations place the Key ID (kid) or issuer (iss) solely in the JWT Header.

This PR enhances the plugin to look for the claim in both the Payload and the Header, ensuring broader compatibility with standard OIDC and third-party JWT providers.

Why this is needed

In many security architectures, the Header contains the metadata required to identify which key or secret should be used to verify the signature. By restricting the lookup to the Payload, APISIX currently forces developers to either:

1. Non-standardly duplicate the kid into the Payload.
2. Write custom serverless functions or modify core code to handle standard JWTs.

This change makes the jwt-auth plugin more robust and "plug-and-play" for modern authentication flows.

Changes

• Plugin Logic: Modified find_consumer in apisix/plugins/jwt-auth.lua.
• Fallback Mechanism: Updated the user_key lookup to check the JWT Header if the claim is missing from the Payload.
• Backward Compatibility: Maintained existing behavior by prioritizing the Payload if the claim exists in both locations.

Verification Results

• Test Case 1: JWT with kid in Header only (HS512) -> Passed (Consumer identified, Signature verified).
• Test Case 2: JWT with claim in Payload only -> Passed (Backward compatibility confirmed).
• Test Case 3: JWT with claim in both Header and Payload -> Passed (Payload prioritized).