[keycloak-dev] Added rotation of public keys of external clients and identity providers

[Marek Posolda]

OIDC dynamic profile needs to support ability to rotate public keys of 
external clients.

In order to this, I've added PublicKeyStorageProvider, which is used to 
store external public keys of the OIDC clients (those clients, which 
require authentication by signed JWT) and OIDC identity providers (those 
which require signature verification). There is just one implementation 
of the SPI based on local infinispan cache to cache computed public keys.

The advantages are:
- Improved performance : Previously during client authentication with 
signed JWT (or during verification of token signed by OIDC 
identityProvider), the public keys were always computed from PEM. This 
didn't  have very great performance. Now we have local infinispan cache, 
so the public keys are cached locally. The cache is set with eviction 
and expiration, so the locally cached keys are expired from cache in 
case of inactive / deleted clients.

- Ability to dynamically download the keys if token signed by unknown 
"kid" (Key ID) is found : Previously we supported that public key (or 
certificate) PEM of particular client was always hardcoded in Keycloak 
database. This is still supported, so everything is backwards 
compatible. However we additionally support that client or identity 
provider can have "jwks_url" defined. In that case, public keys are 
always downloaded dynamically from the given jwks_url when token signed 
by unknown "kid" is found. In other words, always when external client 
(or idp) rotate it's keys, Keycloak will dynamically download them and 
update the storage.

There is configurable limit (10 seconds by default), so that client 
won't try to download keys from "jwks_url" more than once in 10 seconds. 
This is to avoid DOS, so when evil sends many requests with unknown 
"kid", the keycloak won't try to download keys from "jwks_url" for every 
request.

Marek