Consider allowing Signer.key_id to be None

[theacodes]

#108 and #109 added a "hack" to allow the key id to be determined when signing with IAM and App Engine. The reasoning for this is that the key id is needed to populate the kid claim in the JWT header.

It turns out, the kid field is optional according to the JWT spec. If it's absent, it's undefined what to do with it, but it seems that most clients will try all available certs (which is what we do as well).

@dhermes @lukesneeringer what do you think about allowing key_id to be None for iam.Signer and app_engine.Signer?

[dhermes]

I am torn between my preference to be explicit (i.e. require key_id) and my preference to avoid round-trips (i.e. key_id is not available locally and can't be safely cached).

If I had to break the tie, I'd go with the distaste for round-trips: allow key_id to be None

[theacodes]

It's also the case that Google's infrastructure doesn't seem to require a KID to be present. I need to do some more verification, but from my initial tests that appears to be the case.

[lukesneeringer]

If I had to break the tie, I'd go with the distaste for round-trips: allow key_id to be None

This.