Allow a set of issuers during JWT verification

[danielbobbert]

Our (Quarkus) service needs to verify JWTs from different sources. We can handle the different keys using a JWKS, but mp.jwt.verify.issuer currently only allows to specify a single issuer.

It would be nice if mp.jwt.verify.issuer (or "mp.jwt.verify.issuers"?!) allowed to specify a comma-separated list of potential issuers (much like mp.jwt.verify.audiences), that would be passed as expectedIssuers to the JWTAuthContextInfo, such that builder.setExpectedIssuers(String...) could be used in DefaultJWTTokenParser (jose4j already supports a set of allowed issuers)

[sberyozkin]

@danielbobbert Supporting it declaratively falls into a multi-tenancy area, since each issuer may have its own MP JWT and smallrye-jwt configuration properties set related to the token verification. This bring the question of the tenant resolution.

JWKS with multiple keys is normal enough for a single issuer, multiple audiences is more about identifying token targets.

I think you can support it easily enough by creating issuer specific JwtParsers and pick up the right one in the code.