Fetch key from JWKS URI if available

[stanhu]

In non-standard OpenID Connect providers, such as Azure B2C, discovery
does not work because the discovery URL does not match the issuer field.
If a JWKS URI is provided when discovery is disabled, we should make an
HTTP request for the keys and use the response.

Closes #72

This is part of the effort to upstream changes in the GitLab fork: https://gitlab.com/gitlab-org/ruby/gems/gitlab-omniauth-openid-connect/-/issues/5.

[stanhu]

@jessieay @bufferoverflow Could you review this?

[jessieay]

One question for you @stanhu

Also what do you think about adding docs on this / adding a note to CHANGELOG as part of this PR?

[jessieay]

Question: should there be an else option here that returns config.jwks?

Previous logic would return config.jwks if options.discovery but also fell back to config.jwks if key_or_secret were nil.

In addition to adding fetch_key, we are changing the fallback/default behavior here, which could have unintended / backward incompatible consequences.

What do you think?

[stanhu]

@jessieay It's a good question, but config always attempts to call out to the OpenID discovery URL, which should not happen if discovery is disabled.

[jessieay]

ah ok that makes sense @stanhu . In other words: the former default return value was problematic and what we are fixing 💯

[bufferoverflow]

@Azure Is this correct ? Azure B2C, discovery does not work because the discovery URL does not match the issuer field and therefore being non-standard OpenID Connect?

[stanhu]

@bufferoverflow FYI, the Azure non-compliance has been discussed in other issues:

1. https://github.com/MicrosoftDocs/azure-docs/issues/38427
2. Figure out a strategy for handling Azure coreos/go-oidc#344

[jessieay]

LGTM!