Previously, the server would fail to start up if provided with any OIDC identity providers whose OIDC discovery document or JWKS endpoint were unreachable. After this change, the server now starts up normally but logs a warning if it was unable to retrieve the JWKs for any configured identity provider. If a client later attempts to authenticate by presenting an access token issued by an identity provider the server couldn't retrieve keys for, the server makes another just-in-time attempt to refresh keys and logs another warning and fails authentication if key retrieval fails again. If the OIDC discovery endpoint and the JWKS endpoint come back online, then authentication will proceed normally.

Note that we are aiming to backport this change to 7.1.1 and 7.0.3, so all versions of the server supporting OIDC will eventually have this behavior. This is simply a behavioral change from 7.0.2 -> 7.0.3/7.1.1, and 7.1.0 -> 7.1.1/7.2.0.

Description of Linked Ticket

If the Issuer URI is invalid or unable to be resolved, the Server will fail to startup. However, during initial setup of a cluster, this can be confusing because the administrator might be attempting to configure many different things at once and attempting to debug them in parallel. These administrators want their servers to start.

We should try to eagerly fetch a JWKS for all provisioned IdPs at startup. However, if we are unable to acquire the JWKS, we should emit an error message and continue startup. When a misconfigured IdP is used, the server should issue a fresh Just-In-Time attempt to acquire its keys. If the configuration becomes valid, we may cache its keys normally. Otherwise, we should issue a warning on each authentication attempt which fails due to invalid discovery metadata.