Migration needed: EdDSA algorithm identifier deprecated in favor of Ed25519 (RFC 9864)

[aldbr]

I've noticed a deprecation warning in our DiracX pods:

SecurityWarning: EdDSA is deprecated via RFC 9864

RFC 9864 deprecates the polymorphic "EdDSA" algorithm identifier in favor of fully-specified identifiers like "Ed25519" or "Ed448". This affects our JWT signing and verification code that uses joserfc.

Impact:

• Currently just a warning
• Future versions of joserfc may drop support for "EdDSA"
• No security vulnerability, just a standards compliance update

Required Changes:

• Update key generation code to use "alg": "Ed25519" instead of "alg": "EdDSA"
• Update token_allowed_algorithms to support both during migration
• Rotate keys in production environments

If you're running diracx in production, you'll need to perform a similar migration (anyone? CTAO?).
The code will support both EdDSA and Ed25519 algorithm identifiers during the transition period to allow all communities time to migrate their keystores without service interruption. Each community should plan their own key rotation once the updated code is deployed.

I will come up with a migration plan, test it within our LHCb environment, and share the procedure here for other communities to follow.

[ryuwd]

Also many warnings in our tests:

https://github.com/DIRACGrid/diracx/actions/runs/21250093126/job/61149158899?pr=746

[aldbr]

The rotation process should be document if not already.