authorize: add signature algo support (RSA / EdDSA) (#1631)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

docs/docs/topics/getting-users-identity.md

@@ -12,14 +12,14 @@ This article describes how to retrieve a user's identity from a pomerium managed
 To secure your app with signed headers, you'll need the following:
 
 - An application you want users to connect to.
-- A [JWT] library that supports the `ES256` algorithm.
+- A [JWT] library. We strongly recommend using `ES256` or `EdDSA` over `RSA` based algorithms which are often much faster. When in doubt, use `ES256`
 
 ## Verification
 
 If a [signing key] is set, the user's associated identity information will be included in a signed attestation JWT that will be added to each requests's upstream header `X-Pomerium-Jwt-Assertion`. You should verify that the JWT contains at least the following claims:
 
  [JWT]   | description
-:------: | ------------------------------------------------------------------------------------------------------
+:------: | -----------------------------------------------------------------------------------------
  `exp`   | Expiration time in seconds since the UNIX epoch. Allow 1 minute for skew.
  `iat`   | Issued-at time in seconds since the UNIX epoch. Allow 1 minute for skew.
  `aud`   | The client's final domain e.g. `httpbin.corp.example.com`.
@@ -50,6 +50,21 @@ $ curl https://authenticate.int.example.com/.well-known/pomerium/jwks.json | jq
 }
 ```
 
+```json
+{
+  "keys": [
+    {
+      "use": "sig",
+      "kty": "OKP",
+      "kid": "3aa847838906f3c930f55c2d5885943ac7bede8f780d388015575334f88e77ef",
+      "crv": "Ed25519",
+      "alg": "EdDSA",
+      "x": "xsg1A67wECXAmRnSib8lSsgatcNcYm7vvspQnocPQNc"
+    }
+  ]
+}
+```
+
 ### Manual verification
 
 Though you will very likely be verifying signed-headers programmatically in your application's middleware, and using a third-party JWT library, if you are new to JWT it may be helpful to show what manual verification looks like.