Messed up security when using different Alg than HS256

As the config array get merged (deep):
If you specify allowedAlgs => ['RS256'], you end up with allowedAlgs beeing set to ['HS256', 'RS256'], which is *NOT* the intended result and causes an attacker to be able to alter the Token and create a good signature with just the public key!
