OIDCProviderSignedJwksUri and multiple verifier keys

[psteniusubi]

Hi Hans,

With signed jwks, the provider may rotate the key that is used for signing the jwks. Currently OIDCProviderSignedJwksUri and signed_jwks_uri_key parameters only accept a single verifier key. If the provider rotates the signing key then it's possible there is an interrupt in service availability.

I have created a change that adds the capability to specify the set of verifier keys as a JWKS. The change is fully backwards compatible, a single JWK parameter still works.

OIDCProviderSignedJwksUri <jwks_url> [<jwks> | <jwk>]

When using OIDCMetadataDir the property signed_jwks_uri_key also accepts either a jwks or jwk.

I'll create a PR if you agree.

[zandbelt]

looks good to me, thanks; please also update the docs for OIDCProviderSignedJwksUri in auth_openidc.conf, and the ChangeLog