Describe the bug

This is a follow-up to #802 and #755.

Currently, to find the alg to use to sign id_tokens, Authlib:

• use alg is set in get_jwt_config_ if defined
• else use client.id_token_signed_response_alg if defined
• else use the default RS256

I think client.id_token_signed_response_alg should be the primary option, as this is an explicit per-client configuration, defined in the spec. get_jwt_config()["alg"] could be considered as a custom default alg.

This may be a breaking change, so I think this could be introduced in a next 1.X release.

Maybe if the get_jwt_config thing is overhauled, this can go with a deprecation time in 1.7 and released with 1.8?