Investigate replacing bespoke OIDC discovery with an open source module

Problem to solve

By porting the authentication code from AI Gateway, our bespoke OIDC discover has inherited some if its weakness. It could make sense to use a trustworthy 3rd party, open source alternative.

see https://gitlab.com/gitlab-org/secure/sast-scanner-service/-/merge_requests/5#note_2124184890

Proposal

Specific features to look out for:

1. support for RS256
2. handling of JWK JSON, either parsing to a key rsa.PublicKey or direct usage for JWT validation
3. robust JWKS caching

Libraries to consider:

• https://github.com/zitadel/oidc
• https://github.com/lestrrat-go/jwx
• https://github.com/go-jose/go-jose
• TBD