Update OAuth 2.0 Issuer-based Auto Configuration

[jzheaux]

Spring Security now supports deriving OAuth 2.0 configuration from multiple endpoint types.

Instead of calling:

ClientRegistrations.fromOidcIssuerLocation
// or 
JwtDecoders.fromOidcIssuerLocation
// or
ReactiveJwtDecoders.fromOidcIssuerLocation

Which only is aware of the OIDC Provider Configuration endpoint, Spring Boot could instead call:

ClientRegistrations.fromIssuerLocation
// or
JwtDecoders.fromIssuerLocation
// or
ReactiveJwtDecoders.fromIssuerLocation

which will first attempt the OIDC endpoint, and then try endpoints indicated in RFC 8414.

[mbhave]

@jzheaux Just to clarify, this would change the semantics of spring.security.oauth2.resourceserver.jwt.issuer-uri and spring.security.oauth2.client.provider.oidc-provider.issuer-uri. I don't think it should be a problem since it's done in a backward compatible way but this would mean the javadoc for these properties would need an update as well.

[jzheaux]

Thanks for double-checking, @mbhave. Yes, that sounds correct to me.

[mbhave]

Closing in favor of PR #17761.