Support signing and encryption key rotation

[tekul]

The OP needs to be able to manage keys as defined in

http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys

• Configure a lifetime for key(s) and a grace period within which old keys are valid
• Set a cache-control header on the jwks endpoint, based on the lifetime
• Retain old keys internally for the grace period

An RP implementation should be able to use the same code