Nested request objects must include cty:JWT in the JWE header

[yv13]

Signed + encrypted request objects are expected to have the "cty" header parameter set to "JWT":

https://tools.ietf.org/html/rfc7519#section-5.2

The "cty" (content type) Header Parameter defined by [JWS] and [JWE]
is used by this specification to convey structural information about
the JWT.

In the normal case in which nested signing or encryption operations
are not employed, the use of this Header Parameter is NOT
RECOMMENDED. In the case that nested signing or encryption is
employed, this Header Parameter MUST be present; in this case, the
value MUST be "JWT", to indicate that a Nested JWT is carried in this
JWT. While media type names are not case sensitive, it is
RECOMMENDED that "JWT" always be spelled using uppercase characters
for compatibility with legacy implementations. See Appendix A.2 for
an example of a Nested JWT.

One of the affected tests is OP-request_uri-Enc.

[selfissued]

Hans to ask for clarifications, per 11-Oct-19 certification call.

If we're looking at nested JWTs, we should validate this requirement.