Allow disabling OAuth2 / OIDC provider discovery explicitly

[delbertooo]

I think it would be useful to disable the OAuth2 / OIDC discovery explicitly. At this moment this is possible implicitly by configuring every necessary detail of the clients registration and provider but skipping the providers issuerUri. This disables the discovery via OAuth2ClientPropertiesMapper.

Why

• Someone wants the service to not require the IdP to be available at startup.

• Some code may need the issuerUri to function properly.

  In fact, there already is such code: Spring Securitys OIDC back channel logout validates the providers issuerUri in OidcBackChannelLogoutTokenValidator and ends up with a NPE if you did not set an issuerUri.

  So setting the issuerUri means you are forced to use discovery. Leaving it null means no working back channel logout, at least not with auto configuration.

How?

I'm not quite sure. Maybe a new property:

# default (fallback) value: true
spring.security.oauth2.client.provider.MY_PROVIDER.discovery=false

Setting this to false would opt-out the discovery. The current behaviour should be kept as default.