If the Issuer URI is invalid or unable to be resolved, the Server will fail to startup. However, during initial setup of a cluster, this can be confusing because the administrator might be attempting to configure many different things at once and attempting to debug them in parallel. These administrators want their servers to start.

We should try to eagerly fetch a JWKS for all provisioned IdPs at startup. However, if we are unable to acquire the JWKS, we should emit an error message and continue startup. When a misconfigured IdP is used, the server should issue a fresh Just-In-Time attempt to acquire its keys. If the configuration becomes valid, we may cache its keys normally. Otherwise, we should issue a warning on each authentication attempt which fails due to invalid discovery metadata.