Support OpenID Connect Discovery to pull in endpoint urls and keysets

[andytson]

All OpenID Connect standard compliant servers implement .well-known endpoints for discovering underlying endpoint urls and public keys (multiple for issues like rotation)

There is complexity is in converting the keysets from JWK format to PEM

If implementing discovery, provider configuration would then be at the minimum:

• issuerUrl - The url of the IdP, which underneath sits .well-known/openid-configuration
• clientId - (if authenticating, not required for validation if allowedAudience supplied)
• clientSecret - (if the IdP server requires it for authenticating)
• allowedAudience - (optional for validation, matching either the string aud claim, or if aud claim is an array, one of the array entries)

note azp should not need to match clientId or audience if the service using the client is a resource server validating the access token, as another client could be entitled to access the resource server via a matching allowedAudience

[drupol]

FYI: https://github.com/acodercat/php-jwk-to-pem

The thing is that we should use an HTTPClient dependency to retrieve them. I suggest to use a PSR18 client so we are able to use any HTTP client we want.