Pass correct algorithms argument to jwt.decode

[andersk]

Proposed changes

Several backends passed an incorrect and/or unverified algorithms argument to jwt.decode. The apple backend passed an unused algorithm argument instead. The azuread_b2c, azuread_tenant, and open_id_connect backends passed a value from the untrusted JWT header, potentially opening up a vulnerability to symmetric/asymmetric confusion attacks. Additionally, the azuread_b2c and azuread_tenant backends incorrectly passed it as a string rather than a list.

Types of changes

Please check the type of change your PR introduces:

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (PEP8, lint, formatting, renaming, etc)
• Refactoring (no functional changes, no api changes)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Build related changes (build process, tests runner, etc)
• Other (please describe):

Checklist

Put an x in the boxes that apply. You can also fill these out after creating
the PR. If you're unsure about any of them, don't hesitate to ask. We're here to
help! This is simply a reminder of what we are going to look for before merging
your code.

• Lint and unit tests pass locally with my changes
  • (What lint?)
• I have added tests that prove my fix is effective or that my feature works

Other information

Any other information that is important to this PR such as screenshots of how
the component looks before and after the change.

[andersk]

I rebased this on #515 to get Travis passing since it’s failing on master.

[nijel]

Good catch.

PS: The JWT documentation shows wrong example here, that's why it's probably used that way. See jpadilla/pyjwt#530

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[andersk]

Go away, stale bot.