SSRF in JWT parameters

[andresriancho]

In some scenarios the x5u and jku header parameters are used to specify URLs where the JWT parser should retrieve signing keys from:

evil_header['x5u'] = 'http://xyz/foo'
evil_header['jku'] = 'http://xyz/foo'

Maybe I could add a test like this one in the fuzzer?

It is also possible to embed a JWK which also has parameters to try to exploit SSRF