Authorization Server Metadata to enable discovery of JWT Assertion Grant

[aaronpk]

A given client currently as no mechanism to discover whether an AS supports oauth-id-jag+jwt JWT as a valid JWT bearer grant type (urn:ietf:params:oauth:grant-type:jwt-bearer)

(This was split off from #16 to focus on only the Resource App discovery question)

[yaron-zehavi]

Additionally, it would be helpful if an AS supporting the JWT bearer grant type would publish which JAG issuers it supports.

[mcguinness]

Additionally, it would be helpful if an AS supporting the JWT bearer grant type would publish which JAG issuers it supports.

A couple of challenges we have seen and don't have consensus yet on are:

• The list of trusted issuers for multi-tenant Resource Authorization Server (e.g https://as.saas.com) is quite large and needs a way to scope the resolution for it to be meaningful. For SSO this is solved with IdP discovery (e.g identifier first) or some apps may have a dedicated tenant URL for just SSO but share a common namespace for API Access.
• Just like IdP discovery this could be considered information disclosure and enables an attacker to learn what issuers to attack next

Unclear is requiring client authentication to discover trusted issuers would address any concerns as clients could also be multi-tenant but may be useful in helping with abuse